#SPDX-License-Identifier: MIT-0
---
# defaults file for traefik

# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data

# Service-specific configuration
service_name: traefik
docker_compose_dir: "{{ docker_compose_base_dir }}/{{ service_name }}"
docker_volume_dir: "{{ docker_volume_base_dir }}/{{ service_name }}"

# Deployment mode: 'dmz' or 'backend'
# - dmz: Public-facing reverse proxy that routes to backend servers using file provider
# - backend: Application server with docker provider for local container discovery
traefik_mode: "backend"

# SSL configuration
use_ssl: true
ssl_email: "admin@example.com"
ssl_cert_resolver: "dns"  # Certificate resolver name

# Certificate mode: 'acme' for Let's Encrypt with DNS challenge or 'selfsigned' for self-signed certs
cert_mode: "selfsigned"  # Use selfsigned for vagrant, acme for production

# ACME DNS Challenge with RFC2136 (TSIG) configuration
acme_dns_zone: ""  # e.g., "digitalboard._acme.digitalboard.ch."
acme_dns_nameserver: ""  # e.g., "192.168.1.1:53"
acme_tsig_algorithm: "hmac-sha256"
acme_tsig_key: ""  # TSIG key name
acme_tsig_secret: ""  # TSIG secret
acme_propagation_timeout: "120"
acme_polling_interval: "2"
acme_ttl: "60"

# Self-signed certificate configuration (for vagrant/testing)
selfsigned_cert_dir: "{{ docker_volume_dir }}/certs"
selfsigned_cert_days: 365
selfsigned_common_name: "*.local.test"

# Dashboard
enable_dashboard: false
dashboard_domain: ""  # e.g., "traefik.local.test" - if set, exposes dashboard via hostname instead of port 8080

# Access log configuration
enable_access_logs: true
access_log_format: "common"
log_level: "INFO"

# Network name
traefik_network: "proxy"

# Services to expose (defined by application roles via host_vars or group_vars)
# Each backend server should define this variable with their services
# traefik_services:
#   - name: httpbin
#     domain: httpbin.example.com
#     port: 8080
#     protocol: http  # http or https
#     entrypoints: [websecure]  # optional, defaults based on SSL config

# DMZ mode: Explicit backend server mapping
# Define which backend servers this DMZ proxy should route to
# If empty or undefined, routes to all servers in backend_servers group
backend_servers_to_proxy: []
# Example:
# backend_servers_to_proxy:
#   - backend1
#   - backend2