feat: Added k3s, metallb, tried adding traefik

roles/authelia/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Add helm chart
+  ansible.builtin.shell: |
+    helm repo add authelia https://charts.authelia.com
+    helm repo update

roles/cert-manager/tasks/main.yml

@@ -0,0 +1,65 @@
+---
+# From repository
+- name: Add traefik helm repo
+  kubernetes.core.helm_repository:
+    name: jetstack
+    repo_url: "https://charts.jetstack.io"
+
+- name: Update the repository cache
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: dummy
+    namespace: kube-system
+    state: absent
+    update_repo_cache: true
+
+- name: Download cert-manager.crds manifest to the cluster.
+  ansible.builtin.get_url:
+    url: https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
+    dest: /tmp/cert-manager.crds.yaml
+    mode: "0664"
+
+- name: Apply cert-manager.crds manifest to the cluster.
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    src: /tmp/cert-manager.crds.yaml
+
+- name: Deploy latest version of cert-manager chart inside cert-manager namespace (and create it)
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: cert-manager
+    chart_ref: jetstack/cert-manager
+    release_namespace: cert-manager
+    create_namespace: true
+    values: "{{ lookup('template', 'values.yml') | from_yaml }}"
+
+- name: Deploy cert-manager secret - Cloudflare
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'secret-cf-token.yml') | from_yaml }}"
+
+- name: Deploy lets encrypt staging
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'letsencrypt-staging.yml') | from_yaml }}"
+
+- name: Deploy cert-manager staging
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'lino-cooking.staging.yml') | from_yaml }}"
+
+- name: Deploy lets encrypt production
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'letsencrypt-production.yml') | from_yaml }}"
+
+- name: Deploy cert-manager production
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'lino-cooking.prod.yml') | from_yaml }}"

roles/cert-manager/templates/letsencrypt-production.yml

@@ -0,0 +1,21 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: letsencrypt@lino.cooking
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - dns01:
+          cloudflare:
+            email: D5&YbHe&oKx82uuTQ^AfW#$*D8GsDE#K3x^446S^wvH#8T@W2C
+            apiTokenSecretRef:
+              name: cloudflare-token-secret
+              key: cloudflare-token
+        selector:
+          dnsZones:
+            - "lino.cooking"

roles/cert-manager/templates/letsencrypt-staging.yml

@@ -0,0 +1,21 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: letsencrypt@lino.cooking
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - dns01:
+          cloudflare:
+            email: okulto+cloudflare@gmail.com
+            apiTokenSecretRef:
+              name: cloudflare-api-token-secret
+              key: api-token
+        selector:
+          dnsZones:
+            - "lino.cooking"

roles/cert-manager/templates/lino-cooking.prod.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: lino-cooking
+  namespace: default
+spec:
+  secretName: lino-cooking-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.lino.cooking"
+  dnsNames:
+    - "lino.cooking"
+    - "*.lino.cooking"

roles/cert-manager/templates/lino-cooking.staging.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: lino-cooking
+  namespace: default
+spec:
+  secretName: lino-cooking-staging-tls
+  issuerRef:
+    name: letsencrypt-staging
+    kind: ClusterIssuer
+  commonName: "*.lino.cooking"
+  dnsNames:
+    - "lino.cooking"
+    - "*.lino.cooking"

roles/cert-manager/templates/secret-cf-token.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: "{{ cloudflare_api_key }}"

roles/cert-manager/templates/values.yml

@@ -0,0 +1,10 @@
+installCRDs: false
+replicaCount: 3
+extraArgs:
+  - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
+  - --dns01-recursive-nameservers-only
+podDnsPolicy: None
+podDnsConfig:
+  nameservers:
+    - "1.1.1.1"
+    - "9.9.9.9"

roles/frigate/main.yml

@@ -1,56 +0,0 @@
----
-- name: Create LXC for frigate
-  hosts: localhost
-  gather_facts: yes
-  tasks:
-    - name: Stop container
-      community.general.proxmox:
-        vmid: 200
-        api_user: root@pam
-        api_password: {{ proxmox_api_password }}
-        api_host: 10.0.2.2
-        state: stopped
-      ignore_errors: yes
-
-    - name: Remove container
-      community.general.proxmox:
-        vmid: 200
-        api_user: root@pam
-        api_password: {{ proxmox_api_password }}
-        api_host: 10.0.2.2
-        state: absent
-      ignore_errors: yes
-
-    - name: Create container
-      community.general.proxmox:
-        vmid: 200
-        node: epona
-        api_user: root@pam
-        api_password: {{ proxmox_api_password }}
-        api_host: 10.0.2.2
-        password: {{ lxc_password }}
-        hostname: frigate
-        ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst"
-        netif: "{'net0':'name=eth0,\
-          gw=10.0.0.1,\
-          ip=10.0.2.14/21,\
-          hwaddr=62:67:fc:7a:58:01,\
-          bridge=vmbr0'}"
-        cores: "2"
-        memory: "2048"
-        unprivileged: no
-        swap: 0
-        searchdomain: "home"
-        onboot: 1
-        disk: local-lvm:8
-        mounts: '{"mp0":"hyrule-8tb-nfs:500,mp=/media/frigate"}'
-        mounts: '{"mp1":"/dev/bus/usb,mp=/dev/bus/usb"}'
-        force: yes
-
-    - name: Start deployment
-      community.general.proxmox:
-        vmid: 200
-        api_user: root@pam
-        api_password: {{ proxmox_api_password }}
-        api_host: 10.0.2.2
-        state: started

roles/k3s/copy-config/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Store kube configuration
+  ansible.builtin.fetch:
+    src: ~/.kube/config
+    dest: ~/.kube/config
+    flat: true
+  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']

roles/k3s/master/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Clean previous runs of k3s-init
   systemd:
     name: k3s-init
@@ -11,7 +10,7 @@
   failed_when: false
   changed_when: false
   args:
-    warn: false  # The ansible systemd module does not support reset-failed
+    warn: false # The ansible systemd module does not support reset-failed
 
 - name: Create manifests directory on first master
   file:
@@ -62,12 +61,12 @@
 - name: Init cluster inside the transient k3s-init service
   command:
     cmd: "systemd-run -p RestartSec=2 \
-                      -p Restart=on-failure \
-                      --unit=k3s-init \
-                      k3s server {{ server_init_args }}"
+      -p Restart=on-failure \
+      --unit=k3s-init \
+      k3s server {{ server_init_args }}"
     creates: "{{ systemd_dir }}/k3s.service"
   args:
-    warn: false  # The ansible systemd module does not support transient units
+    warn: false # The ansible systemd module does not support transient units
 
 - name: Verification
   block:

roles/k3s/pre/tasks/main.yml

@@ -1,57 +0,0 @@
----
-- name: Get uptime information
-  ansible.builtin.shell: /usr/bin/uptime
-
-- name: Stop containers
-  community.general.proxmox:
-    vmid: "{{ hostvars[item]['vmid'] }}"
-    api_user: root@pam
-    api_password: "{{ proxmox_api_password }}"
-    api_host: 10.0.2.2
-    state: stopped
-  loop: "{{ groups['k3s_cluster'] }}"
-  ignore_errors: true
-
-- name: Remove containers
-  community.general.proxmox:
-    vmid: "{{ hostvars[item]['vmid'] }}"
-    api_user: root@pam
-    api_password: "{{ proxmox_api_password }}"
-    api_host: "{{ hostvars[item]['ip_addr'] }}"
-    state: absent
-  loop: "{{ groups['k3s_cluster'] }}"
-  ignore_errors: true
-
-- name: Create containers
-  community.general.proxmox:
-    vmid: "{{ hostvars[item]['vmid'] }}"
-    node: "{{ item }}"
-    api_user: root@pam
-    api_password: "{{ proxmox_api_password }}"
-    api_host: 10.0.2.2
-    password: "{{ lxc_password }}"
-    hostname: "{{ hostvars[item]['hostname'] }}"
-    ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst"
-    netif: "{'net0':'name=eth0,\
-      gw=10.0.0.1,\
-      ip={{ hostvars[item]['lxc_host'] }}/21,\
-      hwaddr={{ hostvars[item]['mac_addr'] }},\
-      bridge=vmbr0'}"
-    cores: "{{ hostvars[item]['cores'] }}"
-    memory: "{{ hostvars[item]['memory'] }}"
-    unprivileged: no
-    swap: 0
-    searchdomain: "home"
-    onboot: 1
-    disk: local-lvm:{{ hostvars[item]['disk'] }}
-    force: yes
-  loop: "{{ groups['k3s_cluster'] }}"
-
-- name: Start deployments
-  community.general.proxmox:
-    vmid: "{{ hostvars[item]['vmid'] }}"
-    api_user: root@pam
-    api_password: "{{ proxmox_api_password }}"
-    api_host: 10.0.2.2
-    state: started
-  loop: "{{ groups['k3s_cluster'] }}"

roles/nginx/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Deploy nginx - deployment
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'deployment.yml') | from_yaml }}"
+
+- name: Deploy nginx - service
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'service.yml') | from_yaml }}"
+
+- name: Deploy nginx - ingress
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'ingress.yml') | from_yaml }}"

roles/nginx/templates/deployment.yml

@@ -0,0 +1,25 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: nginx
+  namespace: default
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  progressDeadlineSeconds: 600
+  revisionHistoryLimit: 2
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:latest

roles/nginx/templates/ingress.yml

@@ -0,0 +1,26 @@
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx
+  namespace: default
+  annotations:
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`www.nginx.lino.cooking`)
+      kind: Rule
+      services:
+        - name: nginx
+          port: 80
+    - match: Host(`nginx.lino.cooking`)
+      kind: Rule
+      services:
+        - name: nginx
+          port: 80
+      middlewares:
+        - name: default-headers
+  tls:
+    secretName: lino-cooking-tls

roles/nginx/templates/service.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx
+  namespace: default
+spec:
+  selector:
+    app: nginx
+  ports:
+    - name: http
+      targetPort: 80
+      port: 80

roles/prereq/tasks/main.yml

@@ -63,3 +63,14 @@
     path: /etc/sudoers
     validate: "visudo -cf %s"
   when: ansible_os_family == "RedHat"
+
+- name: Copy /etc/rc.local file
+  template:
+    src: "rclocal.j2"
+    dest: "/etc/rc.local"
+    owner: root
+    group: root
+    mode: a+x
+
+- name: Reboot
+  ansible.builtin.reboot:

roles/prereq/templates/rclocal.j2

@@ -0,0 +1,3 @@
+#!/bin/sh -e
+ln -s /dev/console /dev/kmsg
+mount --make-rshared /

roles/provision/cgroup/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+- name: Add cgroup rule
+  ansible.builtin.lineinfile:
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/"{{ hostvars[ansible_hostname]['k3s_vmid'] }}".conf
+    state: present
+    line: lxc.apparmor.profile{{":"}} unconfined
+    validate: /usr/sbin/visudo -cf %s
+
+- name: Add cgroup rule
+  ansible.builtin.lineinfile:
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/"{{ hostvars[ansible_hostname]['k3s_vmid'] }}".conf
+    state: present
+    line: lxc.cap.drop{{":"}}
+    validate: /usr/sbin/visudo -cf %s
+
+- name: Add cgroup rule
+  ansible.builtin.lineinfile:
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/"{{ hostvars[ansible_hostname]['k3s_vmid'] }}".conf
+    state: present
+    line: lxc.mount.auto"{{":"}}" "proc{{":"}}rw sys{{":"}}rw"
+    validate: /usr/sbin/visudo -cf %s
+
+- name: Add cgroup rule
+  ansible.builtin.lineinfile:
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/"{{ hostvars[ansible_hostname]['k3s_vmid'] }}".conf
+    state: present
+    line: lxc.cgroup2.devices.allow{{":"}} c 10{{":"}}200 rwm
+    validate: /usr/sbin/visudo -cf %s

roles/provision/create/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Create containers
+  community.general.proxmox:
+    vmid: "{{ hostvars[item]['k3s_vmid'] }}"
+    node: "{{ item }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    password: "{{ lxc_password }}"
+    hostname: "{{ hostvars[item]['k3s_hostname'] }}"
+    ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst"
+    netif: "{'net0':'name=eth0,\
+      gw=10.0.0.1,\
+      ip={{ hostvars[item]['k3s_lxc_host'] }}/21,\
+      hwaddr={{ hostvars[item]['k3s_mac_addr'] }},\
+      bridge=vmbr0'}"
+    cores: "{{ hostvars[item]['k3s_cores'] }}"
+    memory: "{{ hostvars[item]['k3s_memory'] }}"
+    unprivileged: no
+    swap: 0
+    searchdomain: "home"
+    onboot: 1
+    features:
+      - nesting=1
+    disk: local-lvm:{{ hostvars[item]['k3s_disk'] }}
+    force: yes
+  loop: "{{ groups['baremetal'] }}"

roles/provision/delete/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Stop containers
+  community.general.proxmox:
+    vmid: "{{ hostvars[item]['k3s_vmid'] }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: stopped
+  loop: "{{ groups['baremetal'] }}"
+  ignore_errors: true
+
+- name: Remove containers
+  community.general.proxmox:
+    vmid: "{{ hostvars[item]['k3s_vmid'] }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: "{{ hostvars[item]['ip_addr'] }}"
+    state: absent
+  loop: "{{ groups['baremetal'] }}"
+  ignore_errors: true
+
+- name: Remove .ssh/known_hosts lines
+  ansible.builtin.lineinfile:
+    path: /Users/lino.silva/.ssh/known_hosts
+    state: absent
+    regexp: '^{{ hostvars[item]["k3s_lxc_host"] }}'
+  loop: "{{ groups['baremetal'] }}"

roles/provision/enable-ssh/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh)
+
+- name: Allow SSH into LXC
+  ansible.builtin.command: lxc-attach -n "{{ k3s_vmid }}" -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
+
+- name: Restart SSH Service
+  ansible.builtin.command: lxc-attach -n "{{ k3s_vmid }}" service ssh restart

roles/provision/pre/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Allow ipv4 forwarding
+  ansible.builtin.shell: "sysctl net.ipv4.ip_forward=1"
+
+- name: Allow ipv6 forwarding
+  ansible.builtin.shell: "sysctl net.ipv6.conf.all.forwarding=1"
+
+- name: Uncomment ipv4 forward line on /etc/sysctl.conf
+  ansible.builtin.shell: "sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf"
+
+- name: Uncomment ipv6 forward line on /etc/sysctl.conf
+  ansible.builtin.shell: "sed -i 's/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/g' /etc/sysctl.conf"

roles/provision/start/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Start deployments
+  community.general.proxmox:
+    vmid: "{{ hostvars[item]['k3s_vmid'] }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: started
+  loop: "{{ groups['baremetal'] }}"

roles/traefik/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+# From repository
+- name: Add traefik helm repo
+  kubernetes.core.helm_repository:
+    name: traefik
+    repo_url: "https://helm.traefik.io/traefik"
+
+- name: Update the repository cache
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: dummy
+    namespace: kube-system
+    state: absent
+    update_repo_cache: true
+
+- name: Deploy latest version of Traefik chart inside traefik namespace (and create it)
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: traefik
+    chart_ref: traefik/traefik
+    release_namespace: traefik
+    create_namespace: true
+    values: "{{ lookup('template', 'values.yml') | from_yaml }}"
+
+- name: Create a Deployment by reading the definition from a local file
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'default-headers.yml') | from_yaml }}"
+
+- name: Create a Deployment by reading the definition from a local file
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'secret-dashboard.yml') | from_yaml }}"
+
+- name: Create a Deployment by reading the definition from a local file
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'dashboard-middleware.yml') | from_yaml }}"
+
+- name: Create a Deployment by reading the definition from a local file
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'dashboard-ingress.yml') | from_yaml }}"

roles/traefik/templates/dashboard-ingress.yml

@@ -0,0 +1,21 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik
+  annotations:
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik-dash.lino.cooking`)
+      kind: Rule
+      middlewares:
+        - name: traefik-dashboard-basicauth
+          namespace: traefik
+      services:
+        - name: api@internal
+          kind: TraefikService
+ tls:
+   secretName: lino-cooking-staging-tls

roles/traefik/templates/dashboard-middleware.yml

@@ -0,0 +1,8 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-dashboard-basicauth
+  namespace: traefik
+spec:
+  basicAuth:
+    secret: traefik-dashboard-auth

roles/traefik/templates/default-headers.yml

@@ -0,0 +1,16 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: default-headers
+  namespace: default
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 15552000
+    customFrameOptionsValue: SAMEORIGIN
+    customRequestHeaders:
+      X-Forwarded-Proto: https

roles/traefik/templates/secret-dashboard.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: traefik-dashboard-auth
+  namespace: traefik
+type: Opaque
+data:
+  users: "{{ traefik_http_auth_user }}"

roles/traefik/templates/values.yml

@@ -0,0 +1,50 @@
+globalArguments:
+  - "--global.sendanonymoususage=false"
+  - "--global.checknewversion=false"
+
+additionalArguments:
+  - "--serversTransport.insecureSkipVerify=true"
+  - "--log.level=INFO"
+
+deployment:
+  enabled: true
+  replicas: 3
+  annotations: {}
+  podAnnotations: {}
+  additionalContainers: []
+  initContainers: []
+
+ports:
+  web:
+    redirectTo: websecure
+  websecure:
+    tls:
+      enabled: true
+
+ingressRoute:
+  dashboard:
+    enabled: false
+
+providers:
+  kubernetesCRD:
+    enabled: true
+    ingressClass: traefik-external
+    allowExternalNameServices: true
+  kubernetesIngress:
+    enabled: true
+    publishedService:
+      enabled: false
+    allowExternalNameServices: true
+
+rbac:
+  enabled: true
+
+service:
+  enabled: true
+  type: LoadBalancer
+  annotations: {}
+  labels: {}
+  spec:
+    loadBalancerIP: 10.1.1.3 # this should be an IP in the MetalLB range
+  loadBalancerSourceRanges: []
+  externalIPs: []