---
# Traefik dynamic middleware configuration
# Managed by homelab-registry-mcp write path
# Source of truth: nodes/heimdall/core/traefik/dynamic/
# Do not edit /mnt/appdata/traefik/dynamic/ directly

http:
  middlewares:

    security-headers:
      headers:
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "same-origin"

    ratelimit-basic:
      rateLimit:
        average: 50
        burst: 100

    dashboard-auth:
      basicAuth:
        users:
          - "chester:$2y$05$li5tJ0g9IN.QCfX1Q/QJu.ygbpuVQQmnEe1.jFdfFg9R8OvZiMNEi"

    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true

    dashboard-slash:
      redirectregex:
        regex: ^/dashboard$
        replacement: /dashboard/
        permanent: true

    authentik-auth:
      forwardAuth:
        # If your Authentik container is on the same network as Traefik, 
        # use the container name. Otherwise, use the internal IP.
        address: "http://10.0.0.151:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt