{
    auto_https disable_redirects

    storage file_system {
        root /mnt/data/caddy
    }

    servers {
        # trusted_proxies placeholder
    }

    log {
        level ERROR
    }
}

https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see containers.json
{$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
    header -Server
    header -X-Powered-By

    # Collabora
    route /browser/* {
        reverse_proxy {$COLLABORA_HOST}:9980
    }
    route /hosting/* {
        reverse_proxy {$COLLABORA_HOST}:9980
    }
    route /cool/* {
        reverse_proxy {$COLLABORA_HOST}:9980
    }

    # Notify Push
    route /push/* {
        uri strip_prefix /push
        reverse_proxy {$NOTIFY_PUSH_HOST}:7867
    }

    # Onlyoffice
    route /onlyoffice/* {
        uri strip_prefix /onlyoffice
        reverse_proxy {$ONLYOFFICE_HOST}:80 {
            header_up X-Forwarded-Host {http.request.hostport}/onlyoffice
            header_up X-Forwarded-Proto https
        }
    }

    # Talk
    route /standalone-signaling/* {
        uri strip_prefix /standalone-signaling
        reverse_proxy {$TALK_HOST}:8081
    }

    # Whiteboard
    route /whiteboard/* {
        uri strip_prefix /whiteboard
        reverse_proxy {$WHITEBOARD_HOST}:3002
    }

    # Nextcloud
    route {
        header Strict-Transport-Security max-age=31536000;
        reverse_proxy 127.0.0.1:8000
    }
    redir /.well-known/carddav /remote.php/dav/ 301
    redir /.well-known/caldav /remote.php/dav/ 301

    # TLS options
    tls {
        issuer acme {
            disable_http_challenge
        }
    }
}
