apiVersion: v1
kind: Service
metadata:
  name: duplicati
spec:
  ports:
  - name: app
    port: 8200
    protocol: TCP
    targetPort: 8200
  clusterIP: None
  type: ClusterIP

---

apiVersion: v1
kind: Endpoints
metadata:
  name: duplicati
subsets:
- addresses:
  - ip: 192.168.20.253
  ports:
  - name: app
    port: 8200
    protocol: TCP

#---    
#
#apiVersion: networking.k8s.io/v1
#kind: Ingress
#metadata:
#  name: duplicati-ingress
#  annotations:
#    kubernetes.io/ingress.class: nginx
#    cert-manager.io/cluster-issuer: letsencrypt-production 
#    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16"
#    nginx.ingress.kubernetes.io/auth-url: |-
#        http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
#    nginx.ingress.kubernetes.io/auth-signin: |-
#        https://duplicati.internal.durp.info/outpost.goauthentik.io/start?rd=$escaped_request_uri
#    nginx.ingress.kubernetes.io/auth-response-headers: |-
#        Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
#    nginx.ingress.kubernetes.io/auth-snippet: |
#        proxy_set_header X-Forwarded-Host $http_host;
#spec:
#  rules:
#  - host: duplicati.internal.durp.info
#    http:
#      paths:
#      - path: /
#        pathType: Prefix
#        backend:
#          service:
#            name: duplicati
#            port: 
#              number: 8200         
#      - path: /outpost.goauthentik.io
#        pathType: Prefix
#        backend:
#          service:
#            name: ak-outpost-authentik-embedded-outpost
#            port: 
#              number: 9000
#  tls:
#    - hosts: 
#      - duplicati.internal.durp.info
#      secretName: duplicati-tls

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: duplicati-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    traefik.ingress.kubernetes.io/auth-type: forward
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`)
    kind: Rule
    services:
    - name: duplicati
      port: 8200
    middlewares:
    - name: authentik
      namespace: traefik       
  - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
    kind: Rule
    services:
    - name: ak-outpost-authentik-embedded-outpost
      port: 80
  tls:
    secretName: duplicati-tls

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
    name: authentik
    namespace: traefik
spec:
  forwardAuth:
    address: http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version

---

kind: Service
apiVersion: v1
metadata:
  name: ak-outpost-authentik-embedded-outpost
spec:
  type: ExternalName
  externalName: ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local