image:
  repository: &traefikImage library/traefik
  name: *traefikImage
  tag: v2.9.4
  pullPolicy: IfNotPresent

experimental:
  http3:
    enabled: true
  plugins:
    enabled: false
  kubernetesGateway:
    enabled: false

dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
nodeSelector:
  hasDns: "true"

securityContext:
  capabilities:
    drop: [ALL]
    add: [NET_BIND_SERVICE]
  readOnlyRootFilesystem: true
  runAsGroup: 0
  runAsNonRoot: false
  runAsUser: 0

additionalArguments:
#  - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32"
  - "--api.insecure=true"
envFrom:
  - secretRef:
      name: traefik-secrets

ports:
  traefik:
    port: 9000
    expose: true
    exposedPort: 9000
    protocol: TCP
  web:
    port: 80
    expose: false
    protocol: TCP
  websecure:
    port: 443
    expose: false
    protocol: TCP
    tls:
      enabled: true
  metrics:
    port: 9100
    expose: true
  udp:
    port: 6666
    protocol: UDP
    expose: true

tlsOptions:
  default:
    sniStrict: true
    minVersion: VersionTLS12

service:
  enabled: true
  type: NodePort

certResolvers:
  cloudflare:
    email: me@roxedus.dev
    dnsChallenge:
      provider: cloudflare
    storage: /data/acme.json