Post-Tyranny-Tech-Infrastructure/ansible/roles/traefik/templates/dynamic.yml.j2

# Traefik dynamic configuration
# Managed by Ansible - do not edit manually

http:
  routers:
    # Zitadel identity provider
    zitadel:
      rule: "Host(`zitadel.test.vrije.cloud`)"
      service: zitadel
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      middlewares:
        - zitadel-headers

    # Nextcloud file sync/share
    nextcloud:
      rule: "Host(`nextcloud.test.vrije.cloud`)"
      service: nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      middlewares:
        - nextcloud-headers
        - nextcloud-redirectregex

  services:
    # Zitadel service
    zitadel:
      loadBalancer:
        servers:
          - url: "h2c://zitadel:8080"

    # Nextcloud service
    nextcloud:
      loadBalancer:
        servers:
          - url: "http://nextcloud:80"

  middlewares:
    # Zitadel-specific headers
    zitadel-headers:
      headers:
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true

    # Nextcloud-specific headers
    nextcloud-headers:
      headers:
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true

    # CalDAV/CardDAV redirect for Nextcloud
    nextcloud-redirectregex:
      redirectRegex:
        permanent: true
        regex: "https://(.*)/.well-known/(card|cal)dav"
        replacement: "https://$1/remote.php/dav/"

    # Security headers
    security-headers:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"

    # Rate limiting
    rate-limit:
      rateLimit:
        average: 100
        burst: 200