Summary

• Added configuration/traefik plugin:

  • Hardened Traefik v2 proxy with ACME, HTTP→HTTPS redirect, strict security headers, reusable rate-limit middleware, optional dashboard, and external Docker network for apps.
  • Files: [README.md], [meta.yml], [playbook.yml], [files/docker/.env.j2], [files/docker/docker-compose.yml.j2].

• Hardened existing plugins:

  • Keycloak: added no-new-privileges, cap_drop: ALL, tmpfs /tmp, Traefik security headers; surfaced KC_DB_URL_PARAMETERS via .env (default sslmode=prefer).
  • NetBird controller: added no-new-privileges, cap_drop: ALL, tmpfs /tmp across services; Traefik security headers and API rate limiting (configurable via netbird_controller.rateLimit.*).

Security Notes

• Default security headers: HSTS (preload, includeSubdomains), X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy no-referrer, conservative Permissions-Policy.
• Reusable rate-limit middleware for Traefik: proxy-rl@docker (defaults: avg 100/s, burst 200).
• .env files rendered with 0640; no default admin/DB secrets injected.

Docs

• Keycloak and NetBird controller READMEs updated with Security sections and tuning guidance.

Validation

• Pre-commit hooks passed (generators, metadata, README checks).
• Plugin index updated automatically.

If you want, I can also propose a short reviewer checklist in the PR (ports 80/443 available, DNS in place, secrets set, rate limits tuned).