{$DOMAIN}:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Use the ACME HTTP-01 challenge to get a cert for the configured domain.
  tls {$EMAIL}

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode gzip

  # Uncomment if you want to block access to /admin
  #@blocked {
  #  path /admin /admin/*
  #}
  #respond @blocked 403

  # Notifications redirected to the WebSocket server
  reverse_proxy /notifications/hub vaultwarden:3012

  # Proxy everything else to Rocket
  reverse_proxy vaultwarden:8080 {
      # Send the true remote IP to Rocket, so that vaultwarden can put this in the
      # log, so that fail2ban can ban the correct IP.
      header_up X-Real-IP {remote_host}
      header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
      header_down Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"
      header_down +Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'"
      header_down X-XSS-Protection "0"
      header_down Cross-Origin-Opener-Policy same-origin
      header_down Cross-Origin-Resource-Policy : same-origin
  }
}