---
# Local traefik needs to reach authentik for the ForwardAuth subrequest
# the garage-webui router fires. The public IP is unreachable from this
# subnet (no DMZ hairpin), so point auth.gymb.* directly at the
# application host where authentik runs. Without this the forwardauth
# middleware would time out and every garage-console request would 502.
traefik_extra_hosts:
  - "auth.gymb.souveredu.ch:172.16.19.101"

# Services hosted on `storage` that the DMZ reverseproxy should forward
# public traffic to. See application/traefik.yml for the mechanism.
traefik_dmz_exposed_services:
  - name: garage-s3
    domain: s3.gymb.souveredu.ch
    backend_host: s3.int.gymb.souveredu.ch
    port: 443
    protocol: https
  - name: garage-webui
    domain: console.s3.gymb.souveredu.ch
    # No internal FQDN/cert SAN for console.s3 yet — would need an
    # extra_domain on garage-webui. Until then this route will 500
    # against the storage backend (cert mismatch on raw IP).
    port: 443
    protocol: https