From ffdf022fa04dc2e26f0ba0f4033076472d2b9f94 Mon Sep 17 00:00:00 2001
From: James <james@jongsma.me>
Date: Sun, 1 Mar 2026 00:56:39 -0500
Subject: [PATCH] init: Caddyfile + gitignore

---
 .gitignore |   2 +
 Caddyfile  | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Caddyfile

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6e2469c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.bak*
+*.bak
diff --git a/Caddyfile b/Caddyfile
new file mode 100644
index 0000000..1aa9780
--- /dev/null
+++ b/Caddyfile
@@ -0,0 +1,131 @@
+{
+    acme_ca https://acme.zerossl.com/v2/DV90
+    email johan@jongsma.me
+    log {
+        output file /var/log/caddy/access.log {
+            roll_size 100mb
+            roll_keep 5
+        }
+        format json
+    }
+}
+
+inou.com {
+    reverse_proxy 192.168.1.253:1080 {
+        @tarpit status 444
+        handle_response @tarpit {
+            abort
+        }
+    }
+    
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        Permissions-Policy "geolocation=(), microphone=(), camera=()"
+        Cross-Origin-Opener-Policy "same-origin-allow-popups"
+        Cross-Origin-Resource-Policy "same-origin"
+        X-Permitted-Cross-Domain-Policies "none"
+        -Server
+    }
+}
+
+dev.inou.com {
+    reverse_proxy 192.168.1.253:1080 {
+        @tarpit status 444
+        handle_response @tarpit {
+            abort
+        }
+    }
+    
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        -Server
+    }
+}
+
+flourishevents.nl, www.flourishevents.nl {
+    root * /var/www/flourishevents
+    file_server
+}
+
+james.jongsma.me {
+    @blocked not remote_ip 192.168.1.0/24 47.197.93.62 100.64.0.0/10
+    respond @blocked 403
+
+    reverse_proxy 192.168.1.16:18789 {
+        header_up X-Forwarded-For {remote_host}
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-Proto {scheme}
+    }
+
+    header {
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        -Server
+    }
+}
+
+# Redirect www to non-www (fixes GSC indexing issue)
+www.inou.com {
+    redir https://inou.com{uri} permanent
+}
+
+docsys.jongsma.me {
+    reverse_proxy 192.168.1.16:9201
+
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        -Server
+    }
+}
+
+
+immich.jongsma.me, immich.jongsma.me:2283 {
+    log {
+        output file /var/log/caddy/immich.log {
+            roll_size 50mb
+            roll_keep 5
+        }
+        format json
+    }
+
+    reverse_proxy 192.168.1.253:2283
+
+    header {
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        -Server
+    }
+}
+
+hass.jongsma.me {
+    reverse_proxy 192.168.1.252:8123
+
+    header {
+        X-Content-Type-Options "nosniff"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        -Server
+    }
+}
+
+vault1984.com, www.vault1984.com {
+    reverse_proxy 192.168.1.16:1984
+
+    header {
+        Strict-Transport-Security "max-age=300; includeSubDomains"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        Referrer-Policy "strict-origin-when-cross-origin "
+        -Server
+    }
+}