gigafibre-fsm/apps/portal/traefik-client-portal.yml

# Traefik dynamic route: client.gigafibre.ca → ERPNext (no Authentik)
#
# Purpose: Customer portal accessible without SSO.
# Customers log in via ERPNext's built-in /login page.
#
# Deploy: copy to /opt/traefik/dynamic/ on 96.125.196.67
#   scp traefik-client-portal.yml root@96.125.196.67:/opt/traefik/dynamic/
#   (Traefik auto-reloads dynamic config — no restart needed)
#
# DNS: *.gigafibre.ca wildcard already resolves to 96.125.196.67
# TLS: Let's Encrypt auto-provisions cert for client.gigafibre.ca

http:
  routers:
    # Main portal router — NO authentik middleware
    client-portal:
      rule: "Host(`client.gigafibre.ca`)"
      entryPoints:
        - web
        - websecure
      service: client-portal-svc
      tls:
        certResolver: letsencrypt
      # Explicitly NO middlewares — customers auth via ERPNext /login

    # Block /desk access for portal users
    client-portal-block-desk:
      rule: "Host(`client.gigafibre.ca`) && PathPrefix(`/desk`)"
      entryPoints:
        - web
        - websecure
      service: client-portal-svc
      middlewares:
        - portal-redirect-home
      tls:
        certResolver: letsencrypt
      priority: 200

  middlewares:
    # Redirect /desk attempts to portal home
    portal-redirect-home:
      redirectRegex:
        regex: ".*"
        replacement: "https://client.gigafibre.ca/me"
        permanent: false

  services:
    # Same ERPNext frontend container, unique service name to avoid
    # conflicts with Docker-label-defined services
    client-portal-svc:
      loadBalancer:
        servers:
          - url: "http://erpnext-frontend-1:8080"