---
traefik_mode: dmz

# The DMZ traefik discovers which services to expose by reading
# traefik_dmz_exposed_services from each backend host's host_vars
# (application/traefik.yml, storage/traefik.yml). See the role's
# tasks/main.yml — set_fact "Build service registry from backend
# servers (DMZ mode)".

# From the DMZ network the public ns1 IP (193.43.183.169) is not
# reachable on port 53, but the internal address (172.16.9.169) is.
# Override the group-level traefik_acme_dns_nameserver from bao so
# lego's RFC2136 updates land at the internal interface. The TSIG
# key/secret are the same; only the transport target changes.
traefik_acme_dns_nameserver: "172.16.9.169"

# Lego's propagation check normally polls the NS hostnames listed in
# the zone's SOA (ns1.digitalboard.ch.) — which resolves to the
# public IP that's unreachable from this DMZ host. Skip that check;
# lego still polls via the resolver above before asking LE to
# validate.
traefik_acme_disable_ans_checks: true