apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: {{ .Release.Name }}-tls
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  entryPoints:
    - websecure
  tls:
    certResolver: duconet
  routes:
  - match: Host(`{{ .Release.Name }}.ducoterra.net`)
    kind: Rule
    services:
    - name: {{ .Release.Name }}
      port: 8096
    middlewares:
      - name: headers-{{ .Release.Name }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: {{ .Release.Name }}
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`{{ .Release.Name }}.ducoterra.net`)
    kind: Rule
    services:
    - name: {{ .Release.Name }}
      port: 8096
    middlewares:
      - name: httpsredirect-{{ .Release.Name }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: httpsredirect-{{ .Release.Name }}
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: headers-{{ .Release.Name }}
spec:
  headers:
    customResponseHeaders:
      X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
    SSLHost: "jellyfin.ducoterra.net"
    SSLForceHost: true
    STSSeconds: "315360000"
    STSIncludeSubdomains: true
    STSPreload: true
    forceSTSHeader: true
    frameDeny: true
    contentTypeNosniff: true
    browserXSSFilter: true
    customFrameOptionsValue: "https://jellyfin.ducoterra.net"