weyma-talos/system-apps/traefik/values.yaml

traefik:
  additionalArguments:
    - --api.insecure=true
    - --entryPoints.websecure.transport.respondingTimeouts.readTimeout=0
  ports:
    web:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
    gitssh:
      port: 2222
      exposedPort: 22
      expose:
        default: true
      tls:
        passthrough: true
  metrics:
    prometheus:
      service:
        enabled: true
      serviceMonitor:
        enabled: true
      prometheusRule:
        enabled: true
  deployment:
    kind: DaemonSet
    additionalContainers:
    - name: cloudflared
      image: cloudflare/cloudflared:2025.11.1
      command:
        - cloudflared
        - tunnel
        - --no-autoupdate
        - --metrics
        - 0.0.0.0:2000
        - run
      env:
      - name: TUNNEL_TOKEN
        valueFrom:
          secretKeyRef:
            name: cloudflare-cred
            key: 7e903099-1fbe-48d1-93ac-0922859851a9.json
      livenessProbe:
        failureThreshold: 1
        httpGet:
          path: /ready
          port: 2000
          scheme: HTTP
        initialDelaySeconds: 10
        periodSeconds: 10
        successThreshold: 1
        timeoutSeconds: 1
  tlsStore:
    default:
      defaultCertificate:
        secretName: cert-dubyatp-xyz
  ingressRoute:
    dashboard:
      enabled: true
  providers:
    file:
      enabled: true
      watch: true
      content: |
        http:
          middlewares:
            cloudflarewarp:
              plugin:
                traefik-real-ip:
                  excludednets:
                    - "1.1.1.1/24"
  service:
    spec:
      externalTrafficPolicy: Local
  experimental:
    plugins:
      traefik-real-ip:
        moduleName: github.com/jramsgz/traefik-real-ip
        version: v1.0.4
  extraObjects:
  - apiVersion: external-secrets.io/v1
    kind: ExternalSecret
    metadata:
      name: cloudflare-cred
    spec:
      refreshInterval: 1h
      secretStoreRef:
        name: weyma-vault
        kind: ClusterSecretStore
      target:
        name: cloudflare-cred
        creationPolicy: Owner
      data:
      - secretKey: 7e903099-1fbe-48d1-93ac-0922859851a9.json
        remoteRef:
          key: traefik
          property: cloudflare-token
  - apiVersion: v1
    kind: Secret
    metadata:
      name: cert-dubyatp-xyz
      annotations:
        replicator.v1.mittwald.de/replicate-from: "cert-manager/cert-dubyatp-xyz"
        replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
    data:
      tls.crt: ""
      tls.key: ""