(auth_serguzim_me) {
    # always forward outpost path to actual outpost
    reverse_proxy /outpost.goauthentik.io/* https://auth.serguzim.me {
				header_up Host {http.reverse_proxy.upstream.hostport}
				header_up X-Forward-Auth-Host {http.request.host}
		}

    # forward authentication to outpost
    forward_auth https://auth.serguzim.me {
        uri /outpost.goauthentik.io/auth/caddy

				header_up Host {http.reverse_proxy.upstream.hostport}
				header_up X-Forward-Auth-Host {http.request.host}

        # capitalization of the headers is important, otherwise they will be empty
        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
    }
}

(default) {
	encode zstd gzip
}

(acmedns) {
	tls {
		dns acmedns {
			username "{$ACMEDNS_USER}"
			password "{$ACMEDNS_PASS}"
			subdomain "{$ACMEDNS_SUBD}"
			server_url "{$ACMEDNS_URL}"
		}
	}
}

(faas) {
	rewrite * /function/{args[0]}{uri}
	reverse_proxy https://faas.serguzim.me {
		header_up Host {http.reverse_proxy.upstream.hostport}
	}
}

(analytics) {
	handle_path /_a/* {
		reverse_proxy https://analytics.serguzim.me {
			header_up X-Analytics-IP {remote_host}
			header_up Host {http.reverse_proxy.upstream.hostport}
		}
	}
}

(vpn_only) {
    @denied not client_ip private_ranges
    handle @denied {
        redir https://www.serguzim.me/
    }
}