---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: crowdsec-bouncer
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
spec:
  plugin:
    bouncer:
      crowdsecLapiScheme: http
      crowdsecLapiHost: crowdsec-lapi.crowdsec.svc.cluster.local:8080
      crowdsecLapiKeyFile: /etc/traefik/crowdsec/api-key
      crowdsecMode: stream
      updateIntervalSeconds: 15
      defaultDecisionSeconds: 60
      crowdsecAppsecEnabled: false
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: rate-limit
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
spec:
  rateLimit:
    average: {{ .rateLimitAverage }}
    burst: {{ .rateLimitBurst }}
    period: 1m
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: security-headers
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
spec:
  headers:
    browserXssFilter: true
    contentTypeNosniff: true
    forceSTSHeader: true
    frameDeny: true
    sslRedirect: true
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 31536000
    addVaryHeader: true
    accessControlAllowMethods:
    - GET
    - POST
    - PUT
    - DELETE
    - OPTIONS
    accessControlAllowOriginList:
    - "*"
    accessControlMaxAge: 100
    customRequestHeaders:
      X-Forwarded-Proto: https
    customResponseHeaders:
      Server: ""
      X-Robots-Tag: noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: security-chain
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
spec:
  chain:
    middlewares:
    - name: security-headers
      namespace: crowdsec
    - name: rate-limit
      namespace: crowdsec
    - name: crowdsec-bouncer
      namespace: crowdsec