# Traefik Static Configuration
# Generated by felhom-controller (base-infra bring-up). Do not edit — regenerated on bring-up.

api:
  dashboard: true
  insecure: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
{{- if .ACMEEmail}}
    http:
      tls:
        certResolver: letsencrypt
{{- if .CFAPIToken}}
        # Wildcard proactive issuance (DNS-01 only — HTTP-01 can't do wildcards): traefik obtains
        # *.<domain> (+ apex) at startup, so every router serves the real cert by SNI match with no
        # per-app labels and the cert is ready before the first client connects.
        domains:
          - main: "*.{{.Domain}}"
            sans:
              - "{{.Domain}}"
{{- end}}
{{- end}}

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: traefik-public
  file:
    directory: /etc/traefik/dynamic
    watch: true

log:
  level: INFO

accessLog: {}
{{- if .ACMEEmail}}

certificatesResolvers:
  letsencrypt:
    acme:
      email: {{.ACMEEmail}}
      storage: /etc/traefik/acme.json
{{- if .CFAPIToken}}
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
{{- else}}
      httpChallenge:
        entryPoint: web
{{- end}}
{{- end}}