# Traefik v3 static configuration (ОСК reverse proxy / SNI router)
# Mounted read-only at /etc/traefik/traefik.yml

global:
  checkNewVersion: false
  sendAnonymousUsage: false

log:
  level: INFO
accessLog: {}

api:
  dashboard: true        # exposed via dynamic/web.yml router (traefik.osk.team) with basic-auth

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
  # NOTE: TLS-passthrough TCP routers and TLS-terminating HTTP routers coexist
  # on :443 — Traefik matches specific HostSNI(...) TCP routers first, and
  # everything else falls through to the HTTP routers.

providers:
  # Docker labels (for local containers that opt in with traefik.enable=true)
  docker:
    exposedByDefault: false
    network: reverseproxy-nw
  # File provider = all the static routing (SNI passthrough + dashboards)
  file:
    directory: /etc/traefik/dynamic
    watch: true

# Let's Encrypt — only for hosts Traefik TERMINATES (dashboards).
# Passthrough hosts (workfolders/mail/kdcproxy) keep their own backend certs.
certificatesResolvers:
  le:
    acme:
      email: gamroot@osk.team            # <-- CHANGE to a real address
      storage: /acme/acme.json
      httpChallenge:
        entryPoint: web
      # For internal-only dashboards not reachable on :80 from the internet,
      # switch to a dnsChallenge or a default self-signed cert instead.