{
	email sean@seanclayton.me

	order authenticate before respond
	order authorize before basicauth

	security {
		authentication portal authportal {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			backend local /data/caddy/users.json local
			cookie domain gopoop.org

			ui {
				password_recovery_enabled yes
			}

			transform user {
				match realm generic
				action add role authp/user
				ui link "Cloud" https://cloud.gopoop.org/ icon "las la-star"
			}
		}

		authorization policy users_policy {
			set auth url https://auth.gopoop.org/
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
			acl rule {
				comment allow users
				match role authp/user
				allow stop log info
			}
			acl rule {
				comment default deny
				match any
				deny log warn
			}
		}
	}
}

auth.gopoop.org {
	route {
		authenticate with authportal
	}
	encode zstd gzip
}

foundry.gopoop.org {
	reverse_proxy server_foundry:30000
	encode zstd gzip
}

foundry2.gopoop.org {
	reverse_proxy server_foundry_2:30000
	encode zstd gzip
}

admin.gopoop.org {
	authorize with users_policy
	reverse_proxy server_portainer:9000
	encode zstd gzip
}

monitor.gopoop.org {
	authorize with users_policy
	reverse_proxy server_netdata:19999
	encode zstd gzip
}

code.sean.wtf {
	reverse_proxy server_gitea:3000
	encode zstd gzip
}

ci.sean.wtf {
	reverse_proxy server_woodpecker-server:8000
	encode zstd gzip
}

codeberg-ci.sean.wtf {
	reverse_proxy server_codeberg-woodpecker-server:8000
	encode zstd gzip
}