Add traefik in front of CHP

introduces configuration for manual tls and letsencrypt

tljh/systemd-units/configurable-http-proxy.service

@@ -5,7 +5,7 @@
 After=network.target
 
 [Service]
-User=root
+User=nobody
 Restart=always
 # chp process should have no write access anywhere on disk
 ProtectHome=tmpfs
@@ -16,8 +16,8 @@ ProtectKernelTunables=yes
 ProtectKernelModules=yes
 EnvironmentFile={install_prefix}/state/configurable-http-proxy.secret
 ExecStart={install_prefix}/hub/node_modules/.bin/configurable-http-proxy \
-            --ip 0.0.0.0 \
-            --port 80 \
+            --ip 127.0.0.1 \
+            --port 15003 \
             --api-ip 127.0.0.1 \
             --api-port 15002 \
             --error-target http://127.0.0.1:15001/hub/error

tljh/systemd-units/traefik.service

@@ -0,0 +1,23 @@
+# Template file for Traefik systemd service
+# Uses simple string.format() for 'templating'
+[Unit]
+# Wait for network stack to be fully up before starting proxy
+After=network.target
+
+[Service]
+User=root
+Restart=always
+# process only needs to write acme.json file, no other files
+ProtectHome=tmpfs
+ProtectSystem=strict
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+WorkingDirectory={install_prefix}/state
+ExecStart={install_prefix}/hub/bin/traefik \
+            -c {install_prefix}/state/traefik.toml
+
+[Install]
+# Start service when system boots
+WantedBy=multi-user.target