apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: cloud-limbosolutions-com
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
spec:
  entryPoints:
    - websecure

  tls:
    secretName: cloud-limbosolutions-com-tls
    domains:
      - main: cloud.limbosolutions.com

  routes:

    # AUTHENTIK OUTPOST
    - match: Host(`cloud.limbosolutions.com`)  && PathPrefix(`/outpost.goauthentik.io`)
      kind: Rule
      services:
        - name: ak-outpost-authentik-embedded-outpost
          namespace: id-limbosolutions-com
          port: 9000


    # 1) PUBLIC SHARES (NO SSO)
    - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/s/`) || PathPrefix(`/index.php/s/`) || PathPrefix(`/public.php/`) || PathPrefix(`/remote.php/dav/public-files/`))
      kind: Rule
      services:
        - name: nextcloud
          port: 8080
      middlewares:
        - name: rate-limit
        - name: security-headers

    # 2) WEBDAV / SYNC CLIENTS (NO SSO)
    - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/remote.php/dav`) || PathPrefix(`/remote.php/webdav`) || PathPrefix(`/remote.php/caldav`) || PathPrefix(`/remote.php/carddav`))
      kind: Rule
      services:
        - name: nextcloud
          port: 8080
      middlewares:
        - name: webdav-strip-auth
        - name: rate-limit

    # 3) EVERYTHING ELSE (SSO REQUIRED)
    - match: Host(`cloud.limbosolutions.com`)
      kind: Rule
      services:
        - name: nextcloud
          port: 8080
      middlewares:
          # middleware managed by icarus
         - name: authentik-forward-auth
           namespace: kube-system
         - name: security-headers
         - name: rate-limit