entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: web-secure
          scheme: https
    proxyProtocol:
      trustedIPs:
        - "{{ wireguard.cidr }}"
        - "{{ pve_hosts.internal_cidr }}"
        - "{{ nebula.cidr }}"
        - "{{ tailscale_cidr }}"
  web-secure:
    address: :443
    http:
      middlewares:
        - floc-block@file
        - compress@file
      tls:
        certresolver: le
        domains:
          - main: theorangeone.net
            sans: "*.theorangeone.net"
          - main: jakehoward.tech
            sans: "*.jakehoward.tech"
          {% if traefik_provider_dokku %}
          - main: d.theorangeone.net
            sans: "*.d.theorangeone.net"
          {% endif %}
    proxyProtocol:
      trustedIPs:
        - "{{ pve_hosts.ingress.ip }}/32"
    forwardedHeaders:
      trustedIPs:
        - "{{ wireguard.server.ip }}/32"  # This is obtained from the connecting `proxy_protocol`
  traefik:
    address: :8080

ping: {}

providers:
  docker:
    endpoint: tcp://docker_proxy:2375
    watch: true
    exposedByDefault: false
    network: traefik
  file:
    directory: /etc/traefik/conf

api:
  dashboard: true
  insecure: true

certificatesResolvers:
  le:
    acme:
      email: "{{ vault_letsencrypt_email }}"
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
        resolvers:
          - 1.1.1.1:53
          - 1.0.0.1:53

  gandi:
    acme:
      email: "{{ vault_letsencrypt_email }}"
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: gandiv5
        delayBeforeCheck: 0
        resolvers:
          - 1.1.1.1:53
          - 1.0.0.1:53

serversTransport:
  insecureSkipVerify: true

metrics:
  prometheus:
    entryPoint: traefik

tls:
  options:
    default:
      minVersion: VersionTLS12

pilot:
  dashboard: false

accessLog:
  filePath: "/var/log/traefik/access.log"
  filters:
    statusCodes:
      - "400-600"