# Traefik Dynamic Configuration for External Services
# This file handles routing to services NOT managed by Docker Swarm
http:
  #-----------------------------------------------------------------------------------
  #                          EXTERNAL SERVICES SECTION
  #-----------------------------------------------------------------------------------
  services:
    unraid:
      loadBalancer:
        servers:
        - url: "http://10.0.4.10:80"
    # emby:
    #   loadBalancer:
    #     servers:
    #     - url: "http://10.0.4.10:8096"

    #-----------------------------------------------------------------------------------
    #                          ROUTERS SECTION
    #-----------------------------------------------------------------------------------
  routers:
    # Local VPN-only services (*.swarm.home)
    unraid-local:
      rule: "Host(`unraid.swarm.home`)"
      entryPoints:
      - web
      - websecure
      service: unraid
      tls: {}

    # Public-facing services (*.frostlabs.me)
    # Example: To add a public service, uncomment and customize:
    # my-public-service:
    #   rule: "Host(`myapp.frostlabs.me`)"
    #   entryPoints:
    #   - websecure
    #   service: my-service-name
    #   tls:
    #     certResolver: cloudflare
    #   middlewares:
    #   - authentik  # Optional: Add authentication

    # emby:
    #   rule: "Host(`movies.swarm.home`)"
    #   entryPoints:
    #   - web
    #   - websecure
    #   service: emby
    #   tls: {}

    #-----------------------------------------------------------------------------------
    #                          MIDDLEWARES SECTION
    #-----------------------------------------------------------------------------------
  middlewares:
    # Authentik forward auth for protecting services
    authentik:
      forwardAuth:
        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
        - X-authentik-username
        - X-authentik-groups
        - X-authentik-email
        - X-authentik-name
        - X-authentik-uid

    # Security headers for public-facing services
    security-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        sslRedirect: true
        forceSTSHeader: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true

    # Rate limiting for public services
    rate-limit:
      rateLimit:
        average: 100
        period: 1s
        burst: 50