[Unit]
Description=KubeViz behind Traefik (Podman network)
After=network-online.target
Wants=network-online.target

[Container]
ContainerName=kubeviz
Image=localhost/kubeviz:prod
Pull=never

# Attach to the same user-defined network as Traefik.
Network=edge

Environment=TZ=Europe/Berlin
Environment=ADDR=:8080
Environment=SESSION_TTL=30m
Environment=MAX_UPLOAD_SIZE=5242880
Environment=COOKIE_SECURE=true
Environment=APP_CSP_ENABLED=false
Environment=LOG_LEVEL=info
Environment=GIT_ALLOWED_HOSTS=github.com,gitlab.com,gitea.smb-corp.de

NoNewPrivileges=true
ReadOnly=true
Tmpfs=/tmp:rw,size=128m,mode=1777
User=65532
Group=65532

# Traefik labels (Podman provider)
Label=traefik.enable=true
Label=traefik.docker.network=edge
Label=traefik.http.routers.kubeviz-web.rule=Host(`kubeviz.valtrix.systems`)
Label=traefik.http.routers.kubeviz-web.entrypoints=web
Label=traefik.http.routers.kubeviz-web.middlewares=kubeviz-redirect-https
Label=traefik.http.middlewares.kubeviz-redirect-https.redirectscheme.scheme=https
Label=traefik.http.middlewares.kubeviz-redirect-https.redirectscheme.permanent=true
Label=traefik.http.middlewares.kubeviz-sec-headers.headers.contentSecurityPolicy=default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; script-src 'self'; script-src-elem 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; worker-src 'self' blob:;
Label="traefik.http.middlewares.kubeviz-auth.basicauth.users=smb:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
Label=traefik.http.routers.kubeviz-websecure.rule=Host(`kubeviz.valtrix.systems`)
Label=traefik.http.routers.kubeviz-websecure.entrypoints=websecure
Label=traefik.http.routers.kubeviz-websecure.tls=true
Label=traefik.http.routers.kubeviz-websecure.tls.certresolver=le
Label=traefik.http.routers.kubeviz-websecure.middlewares=kubeviz-sec-headers,kubeviz-auth
Label=traefik.http.routers.kubeviz-websecure.service=kubeviz
Label=traefik.http.services.kubeviz.loadbalancer.server.port=8080

[Service]
Restart=always
RestartSec=3
TimeoutStartSec=90
TimeoutStopSec=20

[Install]
WantedBy=default.target