http:
  middlewares:
    # Middleware to redirect non-www to www (optional, valid for steril.xyz if needed)
    # my-www-redirect:
    #   redirectRegex:
    #     regex: "^https?://(?:www\\.)?(.+)"
    #     replacement: "https://www.$${1}"
    
    # Secure Headers Middleware
    security-headers:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          server: ""
        sslProxyHeaders:
          X-Forwarded-Proto: https
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true

    # Basic Auth Middleware (Example)
    # my-basic-auth:
    #   basicAuth:
    #     users:
    #       - "admin:$apr1$..."

  tls:
    options:
      default:
        minVersion: VersionTLS12
        cipherSuites:
          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

  routers:
    # Pi-hole
    pihole:
      rule: "Host(`pihole.sterl.xyz`)"
      service: pihole
      entryPoints:
        - websecure
      tls:
        certResolver: cfresolver

    # Pi-hole 2
    pihole2:
      rule: "Host(`pihole2.sterl.xyz`)"
      service: pihole2
      entryPoints:
        - websecure
      tls:
        certResolver: cfresolver

    # Proxmox (HTTPS)
    proxmox:
      rule: "Host(`proxmox.sterl.xyz`)"
      service: proxmox
      entryPoints:
        - websecure
      tls:
        certResolver: cfresolver

    # Proxmox Monitor
    proxmox-monitor:
      rule: "Host(`proxmox-monitor.sterl.xyz`)"
      service: proxmox-monitor
      entryPoints:
        - websecure
      tls:
        certResolver: cfresolver

    # OpenMediaVault (OMV)
    omv:
      rule: "Host(`omv.sterl.xyz`)"
      service: omv
      entryPoints:
        - websecure
      tls:
        certResolver: cfresolver

  services:
    pihole:
      loadBalancer:
        servers:
          - url: "http://192.168.1.196:7300"
    
    pihole2:
      loadBalancer:
        servers:
          - url: "http://192.168.1.245:7300"

    proxmox:
      loadBalancer:
        servers:
          # Proxmox typically runs on HTTPS with self-signed certs
          - url: "https://192.168.1.57:8006"
        serversTransport: "insecureSkipVerify"

    proxmox-monitor:
      loadBalancer:
        servers:
          - url: "http://192.168.1.57:8008"

    omv:
      loadBalancer:
        servers:
          - url: "http://192.168.1.70:80"

  serversTransports:
    insecureSkipVerify:
      insecureSkipVerify: true