# apiVersion: traefik.containo.us/v1alpha1
# kind: IngressRoute
# metadata:
#   name: syncthing-ingress
#   namespace: syncthing
# spec:
#   entryPoints:
#     - websecure
#   routes:
#     - match: Host(`syncthing.kluster.moll.re`)
#       kind: Rule
#       services:
#         - name: syncthing
#           port: 8384
#   tls:
#     certResolver: default-tls

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: authentik-auth
  namespace: syncthing
spec:
  forwardAuth:
    address: https://syncthing.kluster.moll.re/outpost.goauthentik.io/auth/traefik
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: syncthing-ingress
  namespace: syncthing
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`syncthing.kluster.moll.re`)
      kind: Rule
      middlewares:
        - name: authentik-auth
      services:
        - name: syncthing
          port: 8384
  tls:
    certResolver: default-tls