{
  debug
  email {$ADMIN_EMAIL:404@vielle.dev}
  on_demand_tls {
    ask http://pi:8000/tls-check
  }
}

(error) {
  handle_errors {
    @custom_err file /{err.status_code}.html
    handle @custom_err {
      rewrite * {file_match.relative}
      file_server
    }
  }

  handle_errors {
    respond "{err.status_code} {err.status_text}"
  }
}

(did-web) {
  handle /.well-known/atproto-did {
    header Access-Control-Allow-Origin "*"
    respond "did:web:{args[0]}"
  }

  handle /.well-known/did.json {
    header Content-Type "application/json"
    header Access-Control-Allow-Origin "*"
    respond <<JSON
      {
        "@context": [
          "https://www.w3.org/ns/did/v1",
          "https://w3id.org/security/multikey/v1",
          "https://w3id.org/security/suites/secp256k1-2019/v1"
        ],
        "id": "did:web:{args[0]}",
        "alsoKnownAs": [
          "at://{args[1]}"
        ],
        "verificationMethod": [
          {
            "id": "did:web:{args[0]}#atproto",
            "type": "Multikey",
            "controller": "did:web:{args[0]}",
            "publicKeyMultibase": "{args[2]}"
          }
        ],
        "service": [
          {
            "id": "#atproto_pds",
            "type": "AtprotoPersonalDataServer",
            "serviceEndpoint": "https://{args[3]}"
          }
        ]
      }
      JSON 200
  }
}

(log) {
  log {args[0]} {
    output stdout
    format console
  }
}

## main site
www.{$HOST:vielle.dev} {
  redir https://{$HOST:vielle.dev}{uri}
}

{$HOST:vielle.dev} {
  import log prs  
  reverse_proxy prs:4321
}

## dongs.zip
{$DONG_HOST:dongs.zip} {
  import log dong
  import did-web "{$DONG_HOST:dongs.zip}" "{$DONG_HOST:dongs.zip}" "zQ3sha8L4YgButkPAFtN4LB2cNai6bBbm7yFJ2kS5iG6KySxd", "pds.vielle.dev"
  import error
  
  encode
  root /srv/dong
  file_server
}

## misc did:web
alt.{$HOST:vielle.dev} {
  import did-web "alt.{$HOST:vielle.dev}" "alt.{$HOST:vielle.dev}" "zQ3shpgbkbxvf5UjBwQcnjf68rg2DKTRQSttBEGokZbx2BzxY" "pds.vielle.dev"
}

## send old dong.vielle.dev => dongs.zip
dong.{$HOST:vielle.dev} {
  redir https://{$DONG_HOST:dongs.zip}{uri}
}

## toy projects
saltire-the-gays.{$HOST:vielle.dev} {
  import log saltire  
  encode
  root /srv/saltire
  import error
  file_server
}

## personal projects
dnd.{$HOST:vielle.dev} {
  import log dnd
  encode
  root /srv/dnd
  import error
  file_server
}

mc.{$HOST:vielle.dev} {
  import log mc
  encode
  root /srv/mc.vielle.dev
  import error
  file_server
}

## atproto services
### pds
pds.{$HOST:vielle.dev}, *.pds.{$HOST:vielle.dev}, *.at.{$HOST:vielle.dev}, *.at.{$DONG_HOST:dongs.zip} {
  import log pds
  tls {
    on_demand
  }

  rewrite / /pds
  @landing path /pds /styles.css
  reverse_proxy @landing landing:8000
  
  # disable age assurance
  handle /xrpc/app.bsky.ageassurance.getState {
    header content-type "application/json"
    header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy"
    header access-control-allow-origin "*"
    respond `{"state":{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured","access":"full"},"metadata":{"accountCreatedAt":"2022-11-17T00:35:16.391Z"}}` 200
  }

  # pds gatekeeper
  @gatekeeper {
    path /xrpc/com.atproto.server.getSession
    path /xrpc/com.atproto.server.describeServer
    path /xrpc/com.atproto.server.updateEmail
    path /xrpc/com.atproto.server.createSession
    path /xrpc/com.atproto.server.createAccount
    path /@atproto/oauth-provider/~api/sign-in
    path /gate/*
  }

  handle @gatekeeper {
    reverse_proxy {$ADDR_PDS_GATEKEEPER}
  }

  reverse_proxy {$ADDR_PDS} {
    transport http {
      dial_timeout 5s
    }
  }
}

### tangled knot
# (see nginx.conf for ssh proxying)
knot.{$HOST:vielle.dev} {
  import log knot
  rewrite / /knot
  @landing path /knot /styles.css
  reverse_proxy @landing landing:8000

  reverse_proxy {$ADDR_KNOT}
}

### piper instance
# technically publicly visible... its _fine_ (+ i cant do jack shit abt it rn so)
piper.{$HOST:vielle.dev} {
  import log piper
  reverse_proxy {$ADDR_PIPER}
}

##### tmp web dev telephone cimd
cimd.{$HOST:vielle.dev} {
  import log cimd

  handle /oauth-client-metadata.json {
    header Content-Type "application/json"
    header Access-Control-Allow-Origin "*"
    respond <<JSON
      {
        "client_id": "https://cimd.{$HOST:vielle.dev}/oauth-client-metadata.json",
        "application_type": "web",
        "grant_types": ["authorization_code"],
        "scope": "atproto transition:generic",
        "response_types": ["code"],
        "redirect_uris": [
            "https://cimd.{$HOST:vielle.dev}", 
            "https://cimd.{$HOST:vielle.dev}/oauth/callback", 
            "https://cimd.{$HOST:vielle.dev}/atproto/callback"
          ],
        "token_endpoint_auth_method": "none",
        "dpop_bound_access_tokens": true,
        "client_name": "cimd.{$HOST:vielle.dev}",
        "client_uri": "https://cimd.{$HOST:vielle.dev}"
      }
      JSON 200
  }

  @not-oauth `{path} != "/oauth-client-metadata.json"`
  handle @not-oauth { 
    redir http://localhost:3000{uri} 
  }
}