# SNI TLS pass-through (Layer 4) to the Windows backends.
#
# Traefik does NOT terminate TLS for these — it reads the SNI from the TLS
# ClientHello and forwards the raw connection to the backend, which terminates
# TLS itself and performs its own NATIVE auth (Kerberos / NTLM / Negotiate).
# This is the whole point: it preserves Windows-Integrated auth that an
# HTTP-terminating proxy (NPM/openresty) breaks.
#
# Requirements:
#  - Clients MUST send SNI (all modern Outlook / ActiveSync / Work Folders do).
#  - Each backend must present a cert valid for its own hostname(s):
#      serverfile  -> files.osk.team + workfolders.osk.team (LE, 9b279156…)
#      servermail  -> mail.osk.team + autodiscover.osk.team (Exchange cert)
#      serverwsus  -> kdcproxy.osk.team (self-signed, 02B9ADB3…)

tcp:
  routers:
    workfolders:
      entryPoints: ["websecure"]
      rule: "HostSNI(`workfolders.osk.team`)"
      tls:
        passthrough: true
      service: serverfile-wf

    exchange:
      entryPoints: ["websecure"]
      rule: "HostSNI(`mail.osk.team`, `autodiscover.osk.team`)"
      tls:
        passthrough: true
      service: servermail-ex

    kdcproxy:
      entryPoints: ["websecure"]
      rule: "HostSNI(`kdcproxy.osk.team`)"
      tls:
        passthrough: true
      service: serverwsus-kdc

  services:
    serverfile-wf:
      loadBalancer:
        servers:
          - address: "192.168.0.11:443"   # serverfile — Work Folders
    servermail-ex:
      loadBalancer:
        servers:
          - address: "192.168.0.6:443"    # servermail — Exchange 2019
    serverwsus-kdc:
      loadBalancer:
        servers:
          - address: "192.168.0.7:443"    # serverwsus — KDC proxy