The first line after your global options (what you call header) needs to be a site address.
Your Caddyfile somehow tries to create two site blocks, with site addresses that are directive names (and options).
encode gzip {
# other directives
}
# and another one
tls /run/secrets/rootweb_idm_pem /run/secrets/rootweb_idm_key {
# empty
}
Matching encode and gzip and tls as literal vhost names (domain names).
So your tls block essentially looks like
example.com {
ciphers <cipher_suites...>
}
But for it to work it would need to look like
example.com {
tls {
ciphers <cipher_suites...>
}
}
or
example.com
tls {
ciphers <cipher_suites...>
}
(if you only have a single site block)