{
	# Cache module
	order cache before rewrite
	cache {
		ttl 10m
	}
	log {
		output file /data/caddy_global.log
	}
}

jenkins.lucasroyer.fr {
	# Security
	header {
		X-Frame-Options "SAMEORIGIN"
		X-Content-Type-Options "nosniff"
		X-XSS-Protection "1; mode=block"
	}

	# Large files
	request_body {
		max_size 512MB
	}

	# Compression
	encode zstd gzip

	# Log
	log {
		output file /data/jenkins_access.log
	}

	# Redirect
	reverse_proxy jenkins:8080 {
		flush_interval -1
	}
}

portfolio.lucasroyer.fr {
	# Server cache
	cache {
		ttl 24h
		stale 12h
	}
	# Security
	header {
		X-Frame-Options "DENY"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "strict-origin-when-cross-origin"
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	}

	# Errors
	handle_errors {
		# If error is 502, 503 or 504, show error.html without changing client URL
		@service_out expression {err.status_code} >= 502 && {err.status_code} <= 504

		handle @service_out {
			root * /srv
			rewrite * /error.html
			file_server
		}
	}

	# Compression
	encode zstd gzip

	# Log
	log {
		output file /data/portfolio_access.log
	}

	# Redirect
	reverse_proxy portfolio:80
}

gitea.lucasroyer.fr {
	# Security
	header {
		X-Frame-Options "SAMEORIGIN"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "strict-origin-when-cross-origin"
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	}

	# Large files
	request_body {
		max_size 512MB
	}

	# Compression
	encode zstd gzip

	# Log
	log {
		output file /data/gitea_access.log
	}

	# Redirect
	reverse_proxy gitea-app:3000 {
		flush_interval -1
	}
}

kuma.lucasroyer.fr {
	# Security
	header {
		X-Frame-Options "SAMEORIGIN"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "strict-origin-when-cross-origin"
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	}

	# Compression
	encode zstd gzip

	# Log
	log {
		output file /data/kuma_access.log
	}

	# Redirect
	reverse_proxy uptime-kuma:3001 {
	}
}

n8n.lucasroyer.fr {
	# Security
	header {
		X-Frame-Options "SAMEORIGIN"
		X-Content-Type-Options "nosniff"
		X-XSS-Protection "1; mode=block"
		Referrer-Policy "strict-origin-when-cross-origin"
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	}

	# Compression
	encode zstd gzip

	# Log
	log {
		output file /data/n8n_access.log
	}

	# Redirect
	reverse_proxy n8n:5678 {
		header_up Host {host}
		header_up X-Real-IP {remote_host}
	}
}

ntfy.lucasroyer.fr {
	# Security
	header {
		X-Frame-Options "SAMEORIGIN"
		X-Content-Type-Options "nosniff"
		X-XSS-Protection "1; mode=block"
		Referrer-Policy "strict-origin-when-cross-origin"
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	}

	# No cache
	header -Cache-Control
	header -Expires

	# Large files
	request_body {
		max_size 512MB
	}

	# Compression
	encode gzip

	# Log
	log {
		output file /data/ntfy_access.log
	}

	# Redirect
	reverse_proxy ntfy:80 {
		flush_interval -1
	}
}

syncthing.lucasroyer.fr {
	# Security
	header {
		X-Frame-Options "SAMEORIGIN"
		X-Content-Type-Options "nosniff"
		X-XSS-Protection "1; mode=block"
		Referrer-Policy "strict-origin-when-cross-origin"
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	}

	# Compression
	encode zstd gzip

	# Log
	log {
		output file /data/syncthing_access.log
	}

	# Redirect
	reverse_proxy syncthing:8384 {
		header_up Host {host}
		header_up X-Real-IP {remote_host}
	}
}

vaultwarden.lucasroyer.fr {
	# Security
	header {
		X-Frame-Options "SAMEORIGIN"
		X-Content-Type-Options "nosniff"
		X-XSS-Protection "1; mode=block"
		Referrer-Policy "strict-origin-when-cross-origin"
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		Permissions-Policy "geolocation=(), microphone=(), camera=()"
	}

	# Compression
	encode zstd gzip

	# Log
	log {
		output file /data/vaultwarden_access.log
	}

	# Redirect
	reverse_proxy vaultwarden:80 {
		header_up Host {host}
		header_up X-Real-IP {remote_host}
	}
}

motsdepasse.interstices.pro {
	# Security
	header {
		X-Frame-Options "SAMEORIGIN"
		X-Content-Type-Options "nosniff"
		X-XSS-Protection "1; mode=block"
		Referrer-Policy "strict-origin-when-cross-origin"
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		Permissions-Policy "geolocation=(), microphone=(), camera=()"
	}

	# Compression
	encode zstd gzip

	# Log
	log {
		output file /data/vaultwarden_access.log
	}

	# Redirect
	reverse_proxy vaultwarden-interstices:80 {
		header_up Host {host}
		header_up X-Real-IP {remote_host}
	}
}

nextcloud.lucasroyer.fr {
	# Large files
	request_body {
		max_size 10GB
	}

	# Compression
	encode zstd gzip

	# Log
	log {
		output file /data/nextcloud_access.log
	}

	# Redirect
	reverse_proxy nextcloud-web:80 {
		header_up Host {host}
		header_up X-Real-IP {remote_host}
	}
}

onlyoffice.lucasroyer.fr {
	# Security
	header {
		Content-Security-Policy "frame-ancestors 'self' nextcloud.lucasroyer.fr"
		X-Frame-Options "ALLOW-FROM https://nextcloud.lucasroyer.fr"
		X-Content-Type-Options nosniff
	}

	# Compression
	encode zstd gzip

	# Redirect
	reverse_proxy onlyoffice:80 {
		header_up Host {host}
		header_up X-Real-IP {remote_host}
	}
}