apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: nextcloud-web
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: traefik
spec:
  entryPoints:
    - websecure
  tls:
    secretName: cloud-limbosolutions-com-tls
    domains:
      - main: cloud.limbosolutions.com

  routes:

    # AUTHENTIK OUTPOST
    - match: Host(`cloud.limbosolutions.com`)  && PathPrefix(`/outpost.goauthentik.io`)
      kind: Rule
      services:
        - name: ak-outpost-authentik-embedded-outpost
          namespace: id-limbosolutions-com
          port: 9000


    # PUBLIC SHARES (NO SSO)
    - match: Host(`cloud.limbosolutions.com`) &&
            (PathPrefix(`/s/`) ||
              PathPrefix(`/index.php/s/`) ||
              PathPrefix(`/public.php/`) ||
              PathPrefix(`/remote.php/dav/public-files/`))
      kind: Rule
      services:
        - name: nextcloud
          port: 8080
      middlewares:
        - name: rate-limit
        - name: nextcloud-security-headers

    # Sync clients + mobile app (no SSO)
    - match: Host(`cloud.limbosolutions.com`) &&
         (PathPrefix(`/remote.php/dav`) ||
          PathPrefix(`/remote.php/webdav`) ||
          PathPrefix(`/remote.php/caldav`) ||
          PathPrefix(`/remote.php/carddav`) ||
          PathPrefix(`/ocs/v1.php`) ||
          PathPrefix(`/ocs/v2.php`) ||
          PathPrefix(`/status.php`) ||
          PathPrefix(`/index.php/login/v2`) ||
          PathPrefix(`/index.php/login/v2/poll`))
      kind: Rule
      services:
        - name: nextcloud
          port: 8080
      middlewares:
        - name: webdav-strip-auth
        - name: rate-limit

    # 3) EVERYTHING ELSE (SSO REQUIRED)
    - match: Host(`cloud.limbosolutions.com`)
      kind: Rule
      services:
        - name: nextcloud
          port: 8080
      middlewares:
         #- name: authentik-forward-auth
         - name: nextcloud-security-headers
         - name: rate-limit