traefik: additionalArguments: - --api.insecure=true - --entryPoints.websecure.transport.respondingTimeouts.readTimeout=0 ports: web: redirections: entryPoint: to: websecure scheme: https permanent: true gitssh: port: 2222 exposedPort: 22 expose: default: true tls: passthrough: true metrics: prometheus: service: enabled: true labels: metrics_enabled: "true" deployment: kind: DaemonSet additionalContainers: - name: cloudflared image: cloudflare/cloudflared:2025.8.1 command: - cloudflared - tunnel - --no-autoupdate - --metrics - 0.0.0.0:2000 - run env: - name: TUNNEL_TOKEN valueFrom: secretKeyRef: name: cloudflare-cred key: 7e903099-1fbe-48d1-93ac-0922859851a9.json livenessProbe: failureThreshold: 1 httpGet: path: /ready port: 2000 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 tlsStore: default: defaultCertificate: secretName: cert-dubyatp-xyz ingressRoute: dashboard: enabled: true providers: file: enabled: true watch: true content: | http: middlewares: cloudflarewarp: plugin: traefik-real-ip: excludednets: - "1.1.1.1/24" service: spec: externalTrafficPolicy: Local experimental: plugins: traefik-real-ip: moduleName: github.com/jramsgz/traefik-real-ip version: v1.0.4 extraObjects: - apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: cloudflare-cred spec: refreshInterval: 1h secretStoreRef: name: weyma-vault kind: ClusterSecretStore target: name: cloudflare-cred creationPolicy: Owner data: - secretKey: 7e903099-1fbe-48d1-93ac-0922859851a9.json remoteRef: key: traefik property: cloudflare-token - apiVersion: v1 kind: Secret metadata: name: cert-dubyatp-xyz annotations: replicator.v1.mittwald.de/replicate-from: "cert-manager/cert-dubyatp-xyz" replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key" data: tls.crt: "" tls.key: ""