http:
  middlewares:
    badger:
      plugin:
        badger:
          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https

  routers:
    # --- Pangolin dashboard ---
    main-app-router-redirect:
      rule: "Host(`{{ pangolin_domain }}`)"
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https
        - badger

    next-router:
      rule: "Host(`{{ pangolin_domain }}`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt

    api-router:
      rule: "Host(`{{ pangolin_domain }}`) && PathPrefix(`/api/v1`)"
      service: api-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt

    ws-router:
      rule: "Host(`{{ pangolin_domain }}`)"
      service: api-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt

    # --- Forgejo (public, no auth) ---
    forgejo-redirect:
      rule: "Host(`{{ forgejo_domain }}`)"
      service: forgejo-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    forgejo-router:
      rule: "Host(`{{ forgejo_domain }}`)"
      service: forgejo-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

  services:
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002"

    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"

    forgejo-service:
      loadBalancer:
        servers:
          - url: "http://forgejo:3001"

tcp:
  serversTransports:
    pp-transport-v1:
      proxyProtocol:
        version: 1
    pp-transport-v2:
      proxyProtocol:
        version: 2