# Strip Authorization header for WebDAV so Authentik doesn't try to interpret Basic Auth

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: webdav-strip-auth
spec:
  headers:
    customRequestHeaders:
      Authorization: ""

---
# Rate limit to protect from brute force / bots
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: rate-limit
spec:
  rateLimit:
    average: 100
    burst: 500

---
# Optional: security headers for UI
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-security-headers
spec:
  headers:
    browserXssFilter: true
    contentTypeNosniff: true
    frameDeny: false
    referrerPolicy: "no-referrer"
    stsSeconds: 15552000
    stsIncludeSubdomains: true
    stsPreload: true
    customResponseHeaders:
      X-Powered-By: ""
      X-Content-Type-Options: "nosniff"
      X-Frame-Options: "SAMEORIGIN"
      X-XSS-Protection: "1; mode=block"
---

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: authentik-forward-auth
spec:
  forwardAuth:
    address: "http://ak-outpost-authentik-embedded-outpost.id-limbosolutions-com.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik"
    trustForwardHeader: true

    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-entitlements
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version
---


piVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-deny-paths
spec:
  redirectRegex:
    regex: "^/(build|tests|config|lib|3rdparty|templates|data|autotest|occ|issue|indie|db_|console)"
    replacement: "/"
    permanent: false

---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-dav
spec:
  redirectRegex:
    regex: "^/.well-known/(carddav|caldav)$"
    replacement: "/remote.php/dav"
    permanent: true

---

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-wellknown
spec:
  redirectRegex:
    regex: "^/.well-known/(webfinger|nodeinfo)$"
    replacement: "/index.php/.well-known/${1}"
    permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-hostmeta
spec:
  redirectRegex:
    regex: "^/.well-known/host-meta$"
    replacement: "/public.php?service=host-meta"
    permanent: true
---

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-hostmeta-json
spec:
  redirectRegex:
    regex: "^/.well-known/host-meta.json$"
    replacement: "/public.php?service=host-meta-json"
    permanent: true