etl.ludikevent.fr, intranet.ludikevent.fr, signature.ludikevent.fr, reservation.ludikevent.fr {
    # Logs applicatifs
    log {
        output file {{ path }}/var/log/caddy.log
    }

    # Compression (Gzip + Zstd) pour la performance
    encode zstd gzip

    tls {
        dns cloudflare KL6pZ-Z_12_zbnM2TtFDIsKM8A-HLPhU5GJJbKTW
    }

    root * {{ path }}/public
    file_server

    request_body {
        max_size 100MB
    }

    # --- SÉCURITÉ & HEADERS ---
    header {
        # Headers de sécurité
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        Referrer-Policy "strict-origin-when-cross-origin"
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

        # Masquer le serveur pour plus de discrétion
        -Server
    }

    # --- ROBOTS TAGGING ---
    @noindex_hosts host intranet.ludikevent.fr signature.ludikevent.fr
    header @noindex_hosts X-Robots-Tag "noindex, nofollow"

    @index_host host reservation.ludikevent.fr
    header @index_host -X-Robots-Tag

    # --- REDIRECTIONS ---
    handle_path /utm_reserve.js {
        redir https://tools-security.esy-web.dev/script.js permanent
    }
    handle_path /ts.js {
        redir https://widget.trustpilot.com/bootstrap/v5/tp.widget.bootstrap.min.js permanent
    }

    # --- ASSETS & CACHE ---
    # Réécriture /assets -> /build (Vite/Webpack)
    handle_path /assets/* {
        rewrite * /build{path}
    }

    # --- PHP FASTCGI ---
    php_fastcgi unix//run/php/php8.4-fpm.sock {
        read_timeout 300s
        write_timeout 300s
        dial_timeout 100s

        # Transmission de l'IP réelle Cloudflare à PHP
        # Les autres headers Cloudflare (CF-Ray, etc.) sont transmis automatiquement
        env REMOTE_ADDR {header.CF-Connecting-IP}
    }
}