---
# Services hosted on `application` that the DMZ reverseproxy should
# forward public traffic to. The DMZ traefik picks this up via
# hostvars[backend].traefik_dmz_exposed_services and renders a router +
# service for each entry into /config/services.yml.
traefik_dmz_exposed_services:
  - name: authentik
    domain: auth.gymb.souveredu.ch
    backend_host: auth.int.gymb.souveredu.ch
    port: 443
    protocol: https
  - name: nextcloud
    domain: cloud.gymb.souveredu.ch
    backend_host: cloud.int.gymb.souveredu.ch
    port: 443
    protocol: https
  - name: collabora
    domain: office.gymb.souveredu.ch
    backend_host: office.int.gymb.souveredu.ch
    port: 443
    protocol: https
  - name: drawio
    domain: draw.gymb.souveredu.ch
    # No internal FQDN/cert for drawio yet — proxy by IP. Combined
    # with serversTransport `insecureSkipVerify` (handled by the
    # selfsigned-mode branch in the template), or accept the route's
    # 500 until the cert is wired up.
    port: 443
    protocol: https