{$DOMAIN} {
	# TLS — use Let's Encrypt staging for initial testing
	tls {$TLS_EMAIL} {
		ca https://acme-staging-v02.api.letsencrypt.org/directory
	}

	# Security headers
	header {
		Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https://image.tmdb.org; connect-src 'self' wss://{$DOMAIN}; font-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
		X-Frame-Options "DENY"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "strict-origin-when-cross-origin"
		Strict-Transport-Security "max-age=86400; includeSubDomains"
		Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
		-Server
	}

	# Reverse proxy to Next.js app
	reverse_proxy app:3000
}
