# Caddy Configuration for SwX-API
# ---------------------------------
# This Caddyfile provides reverse proxy functionality with automatic HTTPS.
#
# Usage:
#   - Development: Use docker-compose.override.yml (ports exposed directly)
#   - Production: Use docker-compose.production.yml (Caddy handles routing)
#
# Domains:
#   - api.{DOMAIN} -> swx-api:8000
#   - adminer.{DOMAIN} -> adminer:8080 (dev only)
#
# Security:
#   - Automatic HTTPS via Let's Encrypt
#   - HTTP to HTTPS redirect
#   - Security headers enabled

# Global options
{
    # Email for Let's Encrypt (required for production)
    email {$CADDY_EMAIL:admin@example.com}
    
    # Automatic HTTPS
    auto_https off
}

# HTTP to HTTPS redirect
http://{$DOMAIN:localhost} {
    redir https://{$DOMAIN:localhost}{uri} permanent
}

http://api.{$DOMAIN:localhost} {
    redir https://api.{$DOMAIN:localhost}{uri} permanent
}

http://adminer.{$DOMAIN:localhost} {
    redir https://adminer.{$DOMAIN:localhost}{uri} permanent
}

# API Service
api.{$DOMAIN:localhost} {
    # Reverse proxy to API
    reverse_proxy swx-api:8000 {
        # Health check
        health_uri /api/utils/health-check
        health_interval 10s
        health_timeout 5s
        
        # Headers
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
    
    # Security headers
    header {
        # HSTS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        
        # XSS Protection
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        X-XSS-Protection "1; mode=block"
        
        # Remove server header
        -Server
    }
    
    # Logging
    log {
        output stdout
        format console
    }
}

# Adminer (Development only - should not be in production)
adminer.{$DOMAIN:localhost} {
    # Only enable in development
    @dev {
        not path /health
    }
    
    reverse_proxy @dev adminer:8080
    
    # Security headers
    header {
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
    }
    
    # Logging
    log {
        output stdout
        format console
    }
}

# Local development (no domain)
localhost {
    reverse_proxy swx-api:8000 {
        health_uri /api/utils/health-check
        health_interval 10s
        health_timeout 5s
    }
    
    header {
        -Server
    }
}
