{{ ansible_managed | comment }}

{{ mastodon_domain }} {
    encode gzip

    header {
        # enable HSTS
        Strict-Transport-Security "max-age=31536000; preload;"

        # disable clients from sniffing the media type
        X-Content-Type-Options nosniff

        # clickjacking protection
        X-Frame-Options DENY

        # keep referrer data off of HTTP connections
        Referrer-Policy no-referrer-when-downgrade

        # Server name removing
        -Server
    }

    # TODO: Move to own caddy file
    route /.well-known/matrix* {
        reverse_proxy https://matrix.flausch.social {
            header_up -Host
        }
    }

    reverse_proxy caddy-mastodon-nginx:8080
}