{
        debug
        http_port 80
        https_port 443
        email admin@delmar.bzh
        default_sni delmar.bzh

        admin :2019

        acme_dns ovh {
                endpoint ovh-eu
                application_key 3f8bdfed17f848d8
                application_secret 6946758d7515ecef108aeb286bf3c7d0
                consumer_key 94b2ddf482d36421a33aa6b3aa515956
        }

        log {
                output stderr
                format filter {
                        # Preserves first 8 bits from IPv4 and 32 bits from IPv6
                        request>remote_ip ip_mask 8 32
                        request>client_ip ip_mask 8 32

                        # Remove identificable information
                        request>remote_port delete
                        request>headers delete
                        request>uri query {
                                delete url
                                delete h
                                delete q
                        }
                }
        }

        servers {
                # Allow the following IP to passthrough the "X-Forwarded-*" headers to SearXNG
                # https://caddyserver.com/docs/caddyfile/options#trusted-proxies
                trusted_proxies static private_ranges
                trusted_proxies_strict

                client_ip_headers X-Forwarded-For X-Real-IP
        }
}

(LAN_only) {
        @local_subnets {
                not remote_ip 192.168.1.0/24
        }
        respond @local_subnets 403
}

*:80 {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        root * /mnt/ssd/www/comics
        file_server
}

affine.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:3010
}

asm.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:50154
}

books.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:10801
}

cap.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:11338
}

cloud.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }

        header {
                Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
                X-XSS-Protection "1; mode=block;"
                X-Content-Type-Options "nosniff"
                X-Frame-Options "SAMEORIGIN"
                X-Robots-Tag "noindex, nofollow"
        }

        reverse_proxy patrick:11000 {
                header_up Host {upstream_hostport}
                header_up X-Real-IP {remote_host}
        }

        # client support (e.g. os x calendar / contacts)
        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301
}

cloud.delmar.bzh:8443 {
        reverse_proxy patrick:32772 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

cnvrt.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:32770
}

crbn.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:4000
}

crm.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:15069
}

cs.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:49505
}

cvs.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:54268 {
                header_up Host {upstream_hostport}
        }
}

dev.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:19080
}

dia.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:53000
}

draw.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:24928
}

gen.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:15578
}

git.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:3001
}

gotify.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:41901
}

hdlp.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy 192.168.1.22
}

homepage.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:7575
}

home-assistant.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:8123
}

imgs.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:32774
}

inv.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:8035 {
                header_up X-Real-IP {remote_host}
                header_up X-Forwarded-For {remote_host}
                header_up X-Forwarded-Proto {scheme}
    }
}

it.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:11404
}

jellyfin.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:8096
}

jellyseerr.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:5055
}

kontadenn.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        root * /mnt/ssd/www/kontadenn
        file_server

        handle_errors {
                @404 {
                        expression {http.error.status_code} == 404
                }
                rewrite @404 /
                file_server
        }
}

lghn.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy 192.168.1.23
}

lud.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:3002
}

mail.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:10003 {
                transport http {
                        proxy_protocol v2
                }
                header_up Host {upstream_hostport}
        }
}

mailbear.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:11234 {
                header_up Host {upstream_hostport}
        }
}

mmgr.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:38274
}

music.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:4533
}

nds.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        root * /mnt/ssd/www/nds
        file_server

        handle_errors {
                @404 {
                        expression {http.error.status_code} == 404
                }
                rewrite @404 /
                file_server
        }
}

nsns.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        root * /mnt/ssd/www/nsns
        file_server

        handle_errors {
                @404 {
                        expression {http.error.status_code} == 404
                }
                rewrite @404 /
                file_server
        }
}

octoprint.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy bernie:54963 {
                header_up X-Forwarded-Proto {scheme}
        }
}

paperless.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:8000
}

pdf.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:16080
}

penpot.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:43735
}

pip.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        root * /mnt/ssd/www/picpitch-collage
        file_server
}

search.delmar.bzh
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        @api {
                path /config
                path /healthz
                path /stats/errors
                path /stats/checker
        }
        @static {
                path /static/*
        }
        @imageproxy {
                path /image_proxy
        }
        header {
                # CSP (https://content-security-policy.com)
                Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https:; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self'; img-src * data:; frame-src https:;"

                # Disable browser features
                Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()"

                # Only allow same-origin requests
                Referrer-Policy "same-origin"

                # Prevent MIME type sniffing from the declared Content-Type
                X-Content-Type-Options "nosniff"

                # Comment header to allow indexing by search engines
                X-Robots-Tag "noindex, nofollow, noarchive, nositelinkssearchbox, nosnippet, notranslate, noimageindex"

                # enable HSTS
                # WARNING: Once this value is set, the site must continue to support HTTPS until the expiry time is reached.

                # Strict-Transport-Security max-age=15768000;

                # Remove "Server" header
                -Server
                Access-Control-Allow-Methods "GET, OPTIONS"
                Access-Control-Allow-Origin "*"
        }
        route {
                # Cache policy
                header Cache-Control "no-cache"
                header @static Cache-Control "public, max-age=30, stale-while-revalidate=60"
                header @imageproxy Cache-Control "public, max-age=3600"
        }
        reverse_proxy patrick:23485
}

send.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:53842
}

shop.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        root * /mnt/ssd/www/shop
        file_server
}

stream.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy carlo:8080
        basic_auth / {
                admin $2a$14$RuKvTkZWcLpyX/ptJmkmYOd6WpDACXi.fIcz2feCcvTW73vZ/4TSi
        }
}

tpml.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        root * /mnt/ssd/www/tpml
        file_server

        handle_errors {
                @404 {
                        expression {http.error.status_code} == 404
                }
                rewrite @404 /
                file_server
        }
}

trfk.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy 192.168.1.21
}

trmx.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:32771
}

twip.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:12473

        handle_errors {
                rewrite * /{err.status_code}
                reverse_proxy patrick:12473 {
                        header_up Host {upstream_hostport}
                        replace_status {err.status_code}
                }
        }
}

ugo.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:8090
}

vault.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:16081
}

wizarr.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:5690
}

www.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        root * /mnt/ssd/www/comics
        file_server

        handle_path /julien/* {
                root * /mnt/ssd/www/resumes/julien
        }

        redir /julien /julien/

        handle_errors {
                @404 {
                        expression {http.error.status_code} == 404
                }
                rewrite @404 /404.html
                file_server
        }
}

xcd.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:32768
}

zik.delmar.bzh {
        encode {
                zstd
                gzip
                minimum_length 1024
        }
        reverse_proxy patrick:32773
        basic_auth / {
                admin $2a$14$RuKvTkZWcLpyX/ptJmkmYOd6WpDACXi.fIcz2feCcvTW73vZ/4TSi
        }
}
