# Traefik dynamic configuration — TLS certificates and middleware
#
# Uses the wildcard mkcert certificate for all *.dezky.local hostnames.
# This file is watched and reloaded automatically by Traefik.

tls:
  certificates:
    - certFile: /certs/dezky.local.pem
      keyFile: /certs/dezky.local-key.pem
      stores:
        - default

  stores:
    default:
      defaultCertificate:
        certFile: /certs/dezky.local.pem
        keyFile: /certs/dezky.local-key.pem

http:
  middlewares:
    # Strong security headers for all services
    secure-headers:
      headers:
        frameDeny: false  # OCIS/Collabora need iframes
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: "SAMEORIGIN"

    # CORS for API calls between portal and provisioning service
    cors:
      headers:
        accessControlAllowMethods:
          - "GET"
          - "POST"
          - "PUT"
          - "PATCH"
          - "DELETE"
          - "OPTIONS"
        accessControlAllowOriginListRegex:
          - "^https://([a-z0-9-]+\\.)?dezky\\.local$"
        accessControlAllowHeaders:
          - "Content-Type"
          - "Authorization"
          - "X-Requested-With"
        accessControlMaxAge: 86400
        addVaryHeader: true