# === Acces internet (TLS auto via Let's Encrypt) ===
dt.arauco.online {
	reverse_proxy app:3000

	header {
		Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "DENY"
		Referrer-Policy "strict-origin-when-cross-origin"
		Permissions-Policy "camera=(), microphone=(), geolocation=()"
		-Server
	}

	encode gzip zstd

	log {
		output file /var/log/caddy/access.log {
			roll_size 10mb
			roll_keep 5
		}
	}
}

# === Acces reseau local (TLS auto-signe interne) ===
dt.huitral.ruka.lan {
	tls internal

	reverse_proxy app:3000

	header {
		X-Content-Type-Options "nosniff"
		X-Frame-Options "DENY"
		Referrer-Policy "strict-origin-when-cross-origin"
		Permissions-Policy "camera=(), microphone=(), geolocation=()"
		-Server
	}

	encode gzip zstd
}