# Authentik Authentication Service
{{ authentik_domain }} {
    reverse_proxy http://{{ authentik_bind_address }}:{{ authentik_http_port }} {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-Proto https
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Host {host}
    }

    # Security headers
    header {
        X-Frame-Options SAMEORIGIN
        X-Content-Type-Options nosniff
        X-XSS-Protection "1; mode=block"
        Referrer-Policy strict-origin-when-cross-origin
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    }

    # Authentik-specific paths
    handle_path /outpost.goauthentik.io/* {
        reverse_proxy http://{{ authentik_bind_address }}:{{ authentik_http_port }}
    }
    
    # Logging
    log {
        output file {{ caddy_log_dir }}/authentik.log
        level INFO
        format json
    }
}