# atBB — Example Caddyfile for NixOS deployments
#
# Use this if you prefer Caddy over the built-in nginx reverse proxy.
#
# In your NixOS configuration, set:
#
#   services.atbb.enableNginx = false;
#
# Then configure Caddy to take over the routing, either via a raw Caddyfile:
#
#   services.caddy.configFile = ./Caddyfile;
#
# Or inline using the virtualHosts option (see the NixOS snippet below).
#
# Caddy will automatically obtain and renew a Let's Encrypt TLS certificate
# for your domain — no ACME configuration needed beyond a valid DNS record
# pointing to the server.

# ── Routing overview ──────────────────────────────────────────────────────────
#
#   /.well-known/*  →  appview (default port 3000)
#   /api/*          →  appview (default port 3000)
#   /*              →  web UI  (default port 3001)
#
# IMPORTANT: /.well-known/ MUST be routed to appview, not the web UI.
# The AT Protocol OAuth flow fetches {client_id}/.well-known/oauth-client-metadata
# from your forum's domain to validate the OAuth client. If this request reaches
# the web UI instead of appview, login will silently fail.
#
# ─────────────────────────────────────────────────────────────────────────────

forum.example.com {

    # AT Protocol well-known endpoints → appview
    # Handles OAuth client metadata and any future AT Proto service discovery
    handle /.well-known/* {
        reverse_proxy localhost:3000
    }

    # REST API → appview
    handle /api/* {
        reverse_proxy localhost:3000
    }

    # Web UI — catch-all (must come last)
    handle {
        reverse_proxy localhost:3001
    }

}

# ── NixOS integration snippet ─────────────────────────────────────────────────
#
# Equivalent configuration using services.caddy.virtualHosts in NixOS:
#
#   services.atbb = {
#     enable     = true;
#     domain     = "forum.example.com";
#     enableNginx = false;   # disable the built-in nginx virtualHost
#     # ... other options
#   };
#
#   services.caddy = {
#     enable = true;
#     virtualHosts."forum.example.com".extraConfig = ''
#       handle /.well-known/* {
#         reverse_proxy localhost:${toString config.services.atbb.appviewPort}
#       }
#
#       handle /api/* {
#         reverse_proxy localhost:${toString config.services.atbb.appviewPort}
#       }
#
#       handle {
#         reverse_proxy localhost:${toString config.services.atbb.webPort}
#       }
#     '';
#   };
#
# Caddy automatically provisions and renews a Let's Encrypt certificate for
# the virtualHost — no security.acme configuration required.
# ─────────────────────────────────────────────────────────────────────────────