Traefik terminates TLS and forwards HTTP, so PASSBOLT_SSL_FORCE=false (in-container redirect caused an infinite loop); Service/Ingress on port 80; add HTTP->HTTPS redirect middleware at Traefik instead. Set PASSBOLT_GPG_SERVER_KEY_FINGERPRINT to the migrated server key (1471F6B1...) so the GPG login handshake completes.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Move ingress from headlamp.local (plain HTTP) to headlamp.roysland.net with a Let's Encrypt cert (cert-manager) and a Traefik HTTP->HTTPS redirect. Fixes the browser HTTPS-upgrade breaking the API calls against the self-signed Traefik default cert.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
