{
  admin off
  email {$TLS_EMAIL}
}

{$PUBLIC_DOMAIN} {
  encode gzip zstd

  @insecure protocol http
  redir @insecure https://{host}{uri} 308

  header {
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    Referrer-Policy "strict-origin-when-cross-origin"
    Permissions-Policy "camera=(), microphone=(), geolocation=()"
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  }

  @auth path /api/auth*
  handle @auth {
    reverse_proxy auth:3001
  }

  @api path /v1*
  handle @api {
    reverse_proxy api:8080
  }

  handle {
    reverse_proxy frontend:3000
  }
}
