# This tells Traefik to run on each node, which is suitable for k3s.
deployment:
  kind: DaemonSet
  initContainers:
    - name: fix-permissions-acme-json
      image: alpine:latest
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
        runAsGroup: 65532
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
      command:
        - chmod
        - "600"
        - /config/acme.json
      volumeMounts:
        - name: data      
          mountPath: /config  
  # Add the docker socket volume to the deployment
  additionalVolumes:
    - name: docker-sock
      hostPath:
        path: /var/run/docker.sock
        type: Socket
    - name: traefik-tmp
      persistentVolumeClaim:
        claimName: traefik-cache-pvc

podSecurityContext:
  runAsGroup: 65532
  runAsNonRoot: true
  runAsUser: 65532
  fsGroup: 999

providers:
  #file:
  #  filename: /config/tls.yaml
  #  watch: true
  #docker:
  #  enabled: true
  #  exposedbydefault: false
  #  endpoint: "unix:///var/run/docker.sock"
  kubernetesIngress:
    enabled: true
  # Enable the Kubernetes CRD provider
  kubernetesCRD:
    enabled: true
    allowCrossNamespace: true

ports:
  web:
    proxyProtocol:
      trustedIPs: 
        - "10.42.0.0/16"
  websecure:
    proxyProtocol:
      trustedIPs: 
        - "10.42.0.0/16"

# Mount the docker socket into the traefik container
additionalVolumeMounts:
  - name: docker-sock
    mountPath: /var/run/docker.sock
    readOnly: true
  - name: traefik-tmp
    mountPath: /tmp-cache
    readOnly: false

# Expose Traefik via a LoadBalancer service.
service:
  enabled: true
  type: LoadBalancer
  spec:
    externalTrafficPolicy: Local

# Use the PVC you created earlier for persistent configuration and ACME certs.
persistence:
  enabled: true
  existingClaim: traefik-config-pvc
  path: /config
env:
  - name: CF_DNS_API_TOKEN
    valueFrom:
      secretKeyRef:
        # The name of the secret you created.
        name: cloudflare-api-token
        # The key within the secret that holds the token.
        # This assumes you created the secret with a key named 'CF_DNS_API_TOKEN'.
        key: CF_DNS_API_TOKEN

# These arguments tell Traefik where to find its configuration files.
additionalArguments:
  - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.42.0.0/16"
  - "--entryPoints.websecure.proxyProtocol.trustedIPs=10.42.0.0/16"
  #- "--configFile=/config/traefik.yaml"
  #- "--providers.file.filename=/config/tls.yaml"
  - "--api.insecure=true"
  - "--providers.docker=true"
  - "--providers.docker.exposedbydefault=false"
  # Point the docker provider to the mounted socket
  #- "--providers.docker.endpoint=unix:///var/run/docker.sock"
  - "--entryPoints.web.address=:80"

# Configure your Let's Encrypt certificate resolver.
certificatesResolvers:
  caresolver:
    acme:
      email: "ser3@acmemail.my.domain"
      storage: "/config/acme.json"
      dnsChallenge:
        provider: cloudflare
        # Traefik will automatically use the CF_DNS_API_TOKEN env var.
ingressRoute:
  dashboard:
    enabled: true
    matchRule: Host(`traefik.my.domain`)
    entryPoints:
      - websecure
    tls:
      certResolver: caresolver
logs:
  level: "DEBUG"