http:
  # Transport for self-signed certs
  serversTransports:
    insecure-transport:
      insecureSkipVerify: true

  # Static routers for on-prem backends
  routers:
    tnas-router:
      rule: "Host(`tnas.castaldifamily.com`)"
      entryPoints:
        - websecure
      tls:
        certResolver: cloudflare
      service: tnas-service
      middlewares:
        - security-headers@file

    dsm-router:
      rule: "Host(`dsm.castaldifamily.com`)"
      entryPoints:
        - websecure
      tls:
        certResolver: cloudflare
      service: dsm-service
      middlewares:
        - security-headers@file

    watchtower-router:
      rule: "Host(`watchtower.castaldifamily.com`)"
      entryPoints:
        - websecure
      tls:
        certResolver: cloudflare
      service: watchtower-service
      middlewares:
        - security-headers@file

    gatus-router:
      rule: "Host(`status.castaldifamily.com`)"
      entryPoints:
        - websecure
      tls:
        certResolver: cloudflare
      service: gatus-service
      middlewares:
        - security-headers@file

  # Services (backends)
  services:
    tnas-service:
      loadBalancer:
        servers:
          - url: "https://10.0.0.250:5443/tos/#/"
        serversTransport: insecure-transport

    dsm-service:
      loadBalancer:
        servers:
          - url: "https://10.0.0.249:5001"
        passHostHeader: true
        serversTransport: insecure-transport

    watchtower-service:
      loadBalancer:
        servers:
          - url: "https://10.0.0.200:9090"
        serversTransport: insecure-transport

    gatus-service:
      loadBalancer:
        servers:
          - url: "http://10.0.0.200:8080"
        serversTransport: insecure-transport