# Caddy v2 config — automatic HTTPS from Let's Encrypt.
#
# Replace orthoglobe.org with your final domain before pointing DNS.
# Caddy will fetch a certificate on first run; make sure ports 80 + 443
# are open in the Contabo firewall *before* starting the stack.

{
    # Operator email used by Let's Encrypt for expiry notices.
    # (Override with ACME_EMAIL env var if you'd rather not hard-code it.)
    email info@orthoglobe.org
    # Don't leak "Server: Caddy".
    servers {
        metrics
    }
}

orthoglobe.org, www.orthoglobe.org {
    # Redirect www → apex.
    @www host www.orthoglobe.org
    redir @www https://orthoglobe.org{uri} 308

    # Static uploads are served from the app container's public/ bind — no
    # caching concerns because Sharp rewrites filenames by sha256.
    encode zstd gzip

    # The Next.js app listens on port 3000 inside the app container.
    reverse_proxy app:3000 {
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }

    # Security headers layered on top of the CSP the app already sends.
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        Referrer-Policy "strict-origin-when-cross-origin"
        Permissions-Policy "camera=(), microphone=(), geolocation=()"
        # Upstream already sets Content-Security-Policy — don't double it up.
        -Server
    }

    log {
        output file /data/access.log {
            roll_size 50MiB
            roll_keep 5
        }
        format json
    }
}

# Optional staging subdomain for safe pre-flight testing — comment out if
# unused. Point staging.orthoglobe.org at the same box to enable.
# staging.orthoglobe.org {
#     reverse_proxy app:3000
#     basicauth {
#         preview JDJhJDE0JHJyMy8uLi4=    # htpasswd -nbBC 10 preview password
#     }
# }
