[Unit]
Description=traefik web server
Wants=network-online.target
After=network-online.target
After=kanidm.service

[Container]
ContainerName=traefik
PodmanArgs=--privileged
NoNewPrivileges=true
Image=docker.io/library/traefik:3.0
PublishPort=0.0.0.0:80:80/tcp
PublishPort=0.0.0.0:443:443/tcp
PublishPort=0.0.0.0:443:443/udp

PublishPort=[::]:80:80/tcp
PublishPort=[::]:443:443/tcp
PublishPort=[::]:443:443/udp

# PublishPort=8448:8448/tcp
ReadOnly=true
Volume=/run/podman/podman.sock:/var/run/docker.sock:z
Volume=/var/srv/traefik:/certificates:z
Volume=/etc/traefik:/etc/traefik:ro,z
Volume=kanidm-certs.volume:/kanidm_certs:ro,z

# Volume=/var/srv/matrix/caddy/config:/config:z
# Volume=/var/srv/matrix/caddy/data:/data:z
# Volume=/var/srv/matrix/caddy/Caddyfile:/etc/caddy/Caddyfile:ro,z
AutoUpdate=registry
Network=web.network

# IP=176.126.240.240
# IP6=fe80::9724:38eb:9b0f:df7c

Exec=traefik --configFile=/etc/traefik/config.toml 
Environment="SSL_CERT_FILE=/kanidm_certs/ca.pem"

Label="traefik.http.middlewares.compress.compress=true"

Label="traefik.http.middlewares.hsts.headers.stsincludesubdomains=false"
Label="traefik.http.middlewares.hsts.headers.stspreload=true"
Label="traefik.http.middlewares.hsts.headers.stsseconds=31536000"
Label="traefik.http.middlewares.hsts.headers.isdevelopment=false"

[Service]
Restart=on-failure
TimeoutStartSec=900

[Install]
WantedBy=default.target