tls:
  options:
    # Modern TLS configuration
    modern:
      minVersion: VersionTLS13
      cipherSuites: []
      curvePreferences:
        - X25519
        - P-256
        - P-384

    # Intermediate TLS configuration (better compatibility)
    intermediate:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      curvePreferences:
        - X25519
        - P-256
        - P-384
      sniStrict: true

    # Default options
    default:
      minVersion: VersionTLS12
      sniStrict: false

  certificates:
    # Wildcard certificate for local domains
    - certFile: /letsencrypt/local.lemonlink.eu.crt
      keyFile: /letsencrypt/local.lemonlink.eu.key
      stores:
        - default

  stores:
    default:
      defaultCertificate:
        certFile: /letsencrypt/local.lemonlink.eu.crt
        keyFile: /letsencrypt/local.lemonlink.eu.key