(security_headers) {
	header {
		X-Content-Type-Options nosniff
		X-Frame-Options SAMEORIGIN
		Referrer-Policy strict-origin-when-cross-origin
		X-XSS-Protection "1; mode=block"
		-Server
	}
}

(authelia) {
	forward_auth 100.78.131.124:9092 {
		uri /api/verify?rd=https://auth.jimmygan.com
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
	}
}

# Authelia portal (no forward_auth on itself)
auth.jimmygan.com {
	import security_headers
	reverse_proxy 100.78.131.124:9092
}

# Protected services
nas.jimmygan.com {
	import security_headers
	import authelia
	reverse_proxy 100.78.131.124:4000 {
		header_up Host {host}
		header_up X-Real-IP {remote_host}
		header_up X-Forwarded-For {remote_host}
		header_up X-Forwarded-Proto {scheme}
		header_up X-Forwarded-Host {host}
	}
}

dev.nas.jimmygan.com {
	import security_headers
	import authelia
	reverse_proxy 100.78.131.124:4001
}

music.jimmygan.com {
	import security_headers
	import authelia
	reverse_proxy 100.78.131.124:4533 {
		flush_interval -1
	}
}

photos.jimmygan.com {
	import security_headers
	import authelia
	reverse_proxy 100.78.131.124:2283 {
		header_up X-Forwarded-Proto https
		header_up X-Forwarded-Host {host}
		transport http {
			read_timeout 10m
			write_timeout 10m
		}
	}
}

photos-app.jimmygan.com {
	import security_headers
	reverse_proxy 100.78.131.124:2283 {
		header_up X-Forwarded-Proto https
		header_up X-Forwarded-Host {host}
		transport http {
			read_timeout 10m
			write_timeout 10m
		}
	}
}

git.jimmygan.com {
	import security_headers
	import authelia
	reverse_proxy 100.78.131.124:3300
}
