http:
  routers:
    # Mixarr Web Frontend - with auth
    mixarr-web:
      entryPoints:
      - web-secure
      tls:
        certResolver: default
      service: mixarr-web
      rule: (Host(`mixarr.fails.me`) || Host(`mixarr.3ddbrewery.com`)) && !PathPrefix(`/api`)
      middlewares:
      - secure-headers
      - authentik

    # Mixarr Web API paths - no auth (app handles session auth)
    mixarr-web-api:
      entryPoints:
      - web-secure
      tls:
        certResolver: default
      service: mixarr-web
      rule: (Host(`mixarr.fails.me`) || Host(`mixarr.3ddbrewery.com`)) && PathPrefix(`/api`)
      middlewares:
      - secure-headers

    # Mixarr Backend API - no auth (called by frontend)
    mixarr-api:
      entryPoints:
      - web-secure
      tls:
        certResolver: default
      service: mixarr-api
      rule: Host(`api.mixarr.fails.me`) || Host(`api.mixarr.3ddbrewery.com`)
      middlewares:
      - secure-headers

  services:
    mixarr-web:
      loadBalancer:
        servers:
        - url: http://192.168.1.80:3006
        passHostHeader: false

    mixarr-api:
      loadBalancer:
        servers:
        - url: http://192.168.1.80:3005
        passHostHeader: false