http:
  middlewares:
    pocketid-auth:
      forwardAuth:
        address: "https://auth-proxy.{{ domain }}/api/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - "X-Auth-User"
          - "X-Auth-Email"
          - "X-Auth-Name"
          - Authorization
          - Remote-Email 
          - Remote-Name
          - Remote-User
          - Remote-Groups
    
    traefik-https-redirect:
      redirectScheme:
        scheme: https
        permanent: true

  routers:
    traefik-secure:
      rule: "Host(`traefik.{{ domain }}`)"
      entryPoints:
        - https
      middlewares:
        - pocketid-auth
      service: api@internal
      tls:
        certResolver: cloudflare

    sonarr:
      rule: "Host(`sonarr.{{ domain }}`)"
      entryPoints:
        - https
      middlewares:
        - pocketid-auth
      service: sonarr
      tls:
        certResolver: cloudflare

    pocketid:
      rule: "Host(`auth.{{ domain }}`)"
      entryPoints:
        - https
      service: pocketid
      tls:
        certResolver: cloudflare
    
    tinyauth:
      rule: "Host(`auth-proxy.{{ domain }}`)"
      entryPoints:
        - https
      service: tinyauth
      tls:
        certResolver: cloudflare
  
  services:
    sonarr:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "http://{{ sonarr_host }}:{{ sonarr_port }}"

    pocketid:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "http://{{ pocketid_host }}:{{ pocketid_port  }}"
    
    tinyauth:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"