# =============================================================================
# Traefik Dynamic Configuration
# This file defines your routers, services, and middlewares.
#
# HTTP → HTTPS redirection is handled globally in traefik.yml, so each service
# only needs a single router for HTTPS.
#
# Sections marked "No changes needed" are reusable building blocks.
# Sections marked "CONFIGURE" are where you add your own services.
# =============================================================================

http:
    # --- No changes needed ---------------------------------------------------
    middlewares:
        https-headers:
            # Required for services that need to know the original protocol
            # (e.g. Mastodon, Matrix/Synapse)
            headers:
                customRequestHeaders:
                    X-Forwarded-Proto: "https"

        # Nextcloud headers to prevent man in the middle attacks
        hsts:
            headers:
                stsSeconds: 15552000
                stsIncludeSubdomains: true
                stsPreload: true

    serversTransports:
        # Use this for backend containers that use self-signed TLS certs
        # (e.g. Nextcloud). Reference it in a service with:
        #   serversTransport: insecure-transport
        insecure-transport:
            insecureSkipVerify: true
    # -------------------------------------------------------------------------

    # --- CONFIGURE -----------------------------------------------------------
    routers:
        # Basic service
        my-service:
            rule: "Host(`service.example.com`)" # <-- change domain
            entryPoints:
                - websecure
            service: my-service
            tls:
                certResolver: letsencrypt

        # Service that needs X-Forwarded-Proto (e.g. Mastodon, Synapse)
        my-service-with-headers:
            rule: "Host(`other.example.com`)" # <-- change domain
            entryPoints:
                - websecure
            service: my-service-with-headers
            middlewares:
                - https-headers
                - hsts
            tls:
                certResolver: letsencrypt

        # Service with a self-signed cert on the backend (e.g. Nextcloud)
        my-https-backend:
            rule: "Host(`secure.example.com`)" # <-- change domain
            entryPoints:
                - websecure
            service: my-https-backend
            tls:
                certResolver: letsencrypt

    services:
        my-service:
            loadBalancer:
                servers:
                    - url: "http://container-name:PORT" # <-- change container name and port

        my-service-with-headers:
            loadBalancer:
                servers:
                    - url: "http://container-name:PORT" # <-- change container name and port

        my-https-backend:
            loadBalancer:
                servers:
                    - url: "https://container-name:PORT" # <-- change container name and port
                serversTransport: insecure-transport

    # -------------------------------------------------------------------------

# =============================================================================
# TCP — only needed for raw TCP services (game servers, etc.)
# Remove this section entirely if you don't need it.
# =============================================================================
tcp:
    # --- CONFIGURE -----------------------------------------------------------
    routers:
        my-tcp-service:
            rule: "HostSNI(`*`)"
            entryPoints:
                - my-tcp-entrypoint # <-- must match an entrypoint defined in traefik.yml
            service: my-tcp-service

    services:
        my-tcp-service:
            loadBalancer:
                servers:
                    - address: "container-name:PORT" # <-- change container name and port
    # -------------------------------------------------------------------------