loki.pyrocufflink.blue {
	tls {
		client_auth {
			mode verify_if_given
			trusted_ca_cert_file /etc/caddy/client-ca.crt
		}
	}
	@anonymous {
		expression {tls_client_subject} == null
	}
	handle @anonymous {
		route /loki/api/v1/push {
			reverse_proxy 127.0.0.1:3100
		}
		route /metrics {
			reverse_proxy 127.0.0.1:3100
		}
		route /ready {
			reverse_proxy 127.0.0.1:3100
		}
		respond 403
	}
	handle {
		reverse_proxy 127.0.0.1:3100
	}
	tls loki@pyrocufflink.blue {
		ca https://ca.pyrocufflink.blue:32599/acme/acme/directory
		ca_root /etc/caddy/acme-ca.crt
	}
}