# HTTP routers for the web dashboards — Traefik TERMINATES TLS here and
# auto-issues Let's Encrypt certs (resolver "le"). These hosts have no
# Windows-Integrated auth, so termination is fine.
#
# ACME http-01 requires each Host below to be publicly resolvable and reachable
# on :80 through the edge. For internal-only dashboards, use a dnsChallenge or a
# default cert instead (see traefik.yml).

http:
  routers:
    flame:
      entryPoints: ["websecure"]
      rule: "Host(`start.osk.team`)"
      service: flame
      tls:
        certResolver: le

    portainer:
      entryPoints: ["websecure"]
      rule: "Host(`portainer.osk.team`)"
      service: portainer
      tls:
        certResolver: le

    traefik-dashboard:
      entryPoints: ["websecure"]
      rule: "Host(`traefik.osk.team`)"
      service: api@internal
      middlewares: ["dash-auth"]
      tls:
        certResolver: le

  services:
    flame:
      loadBalancer:
        servers:
          - url: "http://flame:5005"
    portainer:
      # Portainer must share a network with Traefik. Either add the portainer
      # container to reverseproxy-nw, or point this at the host IP instead:
      #   - url: "https://192.168.0.8:9443"  (+ serversTransport insecureSkipVerify)
      loadBalancer:
        serversTransport: insecure  
        servers:
          - url: "https://192.168.0.8:9443"

  middlewares:
    dash-auth:
      basicAuth:
        # Generate: htpasswd -nbB admin 'yourpassword'  (escape $ as $$ only in
        # docker-compose labels — in this YAML file use the raw single-$ hash).
        users:
          - "admin:$2y$05$HjhBPjFYOxYTWS37DScedenZRiRZ.qbxMsf10XQVujzCljE9VbQfG"