Implement security HTTP headers' middleware

roles/nextcloud/tasks/main.yml

@@ -33,6 +33,7 @@
       traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
       traefik.http.routers.nextcloud.entrypoints: websecure
       traefik.http.routers.nextcloud.tls.certresolver: resolver
+      traefik.http.routers.nextcloud.middlewares: "securehttps@file,nextcloud-webdav"
       traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
       traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/"
       traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: "true"

roles/traefik/defaults/main.yml

@@ -2,6 +2,8 @@ traefik_name: traefik
 traefik_dashboard: false
 traefik_root: "/opt/{{ traefik_name }}"
 traefik_production: false
+traefik_hsts_preload: false
+traefik_hsts_seconds: 0
 traefik_ports:
   - "80:80"
   - "443:443"

roles/traefik/files/tls.yml

@@ -1,4 +0,0 @@
-tls:
-  options:
-    default:
-      minVersion: VersionTLS12

roles/traefik/tasks/main.yml

@@ -9,10 +9,10 @@
     dest: "{{ traefik_root }}/config/traefik.yml"
   notify: restart_traefik
 
-- name: Install dynamic Traefik configuration
+- name: Install dynamic security configuration
-  copy:
+  template:
-    src: tls.yml
+    src: security.yml.j2
-    dest: "{{ traefik_root }}/config/dynamic/tls.yml"
+    dest: "{{ traefik_root }}/config/dynamic/security.yml"
     owner: root
     group: root
     mode: 0600

roles/traefik/templates/security.yml.j2

@@ -0,0 +1,15 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+
+http:
+  middlewares:
+    securehttps:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        stsPreload: {{ traefik_hsts_preload }}
+        stsSeconds: {{ traefik_hsts_seconds }}