# Barazo Caddyfile -- Reverse Proxy with Automatic SSL
#
# Caddy handles:
# - Automatic HTTPS via Let's Encrypt (auto-renews)
# - HTTP -> HTTPS redirect (automatic)
# - HTTP/3 (QUIC) support
# - Reverse proxy routing to API and Web services
#
# Set COMMUNITY_DOMAIN in your .env file (e.g., "forum.example.com").

{
	admin off
}

# ---------------------------------------------------------------------------
# Documentation site (static export served from /var/www/docs.barazo.forum/)
# ---------------------------------------------------------------------------
docs.barazo.forum {
	header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

	root * /var/www/docs.barazo.forum
	file_server

	try_files {path} {path}index.html /404.html
}

{$COMMUNITY_DOMAIN} {
	# HSTS -- enforce HTTPS for all future requests (2 years, preload-eligible)
	header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

	# Block /api/health/ready from external access (internal monitoring only)
	@healthReady path /api/health/ready
	handle @healthReady {
		respond "Forbidden" 403 {
			close
		}
	}

	# OAuth metadata (AT Protocol requires PDS to fetch these from the client_id origin)
	handle /oauth-client-metadata.json {
		reverse_proxy barazo-api:3000
	}
	handle /jwks.json {
		reverse_proxy barazo-api:3000
	}

	# API routes -> barazo-api:3000
	handle /api/* {
		reverse_proxy barazo-api:3000
	}

	# API documentation -> barazo-api:3000
	handle /docs {
		reverse_proxy barazo-api:3000
	}
	handle /docs/* {
		reverse_proxy barazo-api:3000
	}

	# Everything else -> barazo-web:3001
	handle {
		reverse_proxy barazo-web:3001
	}
}