private.coffee www.private.coffee {
	header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

	header Access-Control-Allow-Origin https://element.private.coffee
	header Access-Control-Allow-Methods "GET"
	header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"
	header Access-Control-Expose-Headers "Content-Length,Content-Range"

	@matrix {
		path matrix /.well-known/matrix/*
	}

	@assets {
		path assets /assets/*
	}

	@security {
		path security-well-known /.well-known/security.txt
		path security /security.txt
	}

	handle @matrix {
		header /.well-known/matrix/* Content-Type application/json
		header /.well-known/matrix/* Access-Control-Allow-Origin *
		respond /.well-known/matrix/server `{"m.server": "matrix.private.coffee:443"}`
		respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.private.coffee"}}`
	}

	handle @assets {
		file_server
		root * /srv/private.coffee
	}

	handle @security {
		redir https://security.private.coffee/security.txt
	}

	handle {
		reverse_proxy * unix//var/run/uwsgi/privatecoffee.sock
	}
}