homelab/nixos/hosts/traefik/configuration/middlewares.nix

let
  internalNetwork = "192.168.1.0/24";
in {
  internal-whitelist = {
    ipWhiteList.sourceRange = [internalNetwork];
  };

  auth-headers = {
    headers = {
      sslRedirect = true;
      stsSeconds = 315360000;
      browserXssFilter = true;
      contentTypeNosniff = true;
      forceSTSHeader = true;
      sslHost = "procopius.dk";
      stsIncludeSubdomains = true;
      stsPreload = true;
      frameDeny = true;
    };
  };

  authelia = {
    forwardAuth = {
      address = "http://auth.lab:9091/api/authz/forward-auth";
      trustForwardHeader = true;
      authResponseHeaders = [
        "Remote-User"
        "Remote-Groups"
        "Remote-Email"
        "Remote-Name"
      ];
    };
  };
}