_acme_tsig: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/acme-tsig', url=vault_addr ) }}"

traefik_use_ssl: true
traefik_cert_mode: "acme"
traefik_ssl_email: "hostmaster@digitalboard.ch"
traefik_log_level: DEBUG
traefik_network: proxy

traefik_acme_dns_zone: "demo-gymb._acme.digitalboard.ch"
traefik_acme_dns_nameserver: "{{ _acme_tsig.server }}"
traefik_acme_tsig_algorithm: "hmac-sha256"
traefik_acme_tsig_key: "{{ _acme_tsig.tsig_key }}"
traefik_acme_tsig_secret: "{{ _acme_tsig.tsig_secret }}"

# UDP/53 egress from the traefik container reaches ns1.digitalboard.ch
# unreliably (i/o timeouts on lego's recursive SOA pre-check), while
# TCP/53 to the same nameserver is open. Force lego to do its DNS
# lookups over TCP so the DNS-01 challenge can proceed.
traefik_acme_tcp_only: true