# Global options
{
  email info@data-pro.nu
  # Optional: acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

# Common security headers
(nextcloud_security_headers) {
  header {
    # HTTPS only: instruct browser to only access via HTTPS for 180+ days
    Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

    # Prevent MIME-type sniffing
    X-Content-Type-Options "nosniff"

    # Disallow embedding in iframes (Clickjacking)
    X-Frame-Options "SAMEORIGIN"

    # Search engine no-index
    X-Robots-Tag "noindex, nofollow"

    # Cross-domain policy restrictions
    X-Permitted-Cross-Domain-Policies "none"

    # Basic XSS protection (legacy)
    X-XSS-Protection "1; mode=block"

    # No referrer leakage
    Referrer-Policy "no-referrer"
  }
}

# KEYCLOAK

keycloak.data-pro.nu {
  import nextcloud_security_headers

  reverse_proxy keycloak:8080

  log {
    output file /var/log/caddy/keycloak-access.log {
      roll_size 10mb
      roll_keep 5
      roll_keep_for 720h
    }
    format json
  }

  tls caddy@data-pro.nu
}


# NEXTCLOUD
Nextcloud.data-pro.nu {
  import nextcloud_security_headers

  # Enable compression
  encode zstd gzip

  # Permanent redirects for CalDAV/CardDAV discovery
  redir /.well-known/carddav /remote.php/dav 301
  redir /.well-known/caldav /remote.php/dav 301

  # WebSocket for Janus subpath (optional)
  handle_path /janus* {
    reverse_proxy janus:8088
  }

  handle /ws {
    reverse_proxy janus:8188 {
      header_up Host {host}
      header_up Connection upgrade
      header_up Upgrade {header.Upgrade}
    }
  }

  # Main Nextcloud reverse proxy
  reverse_proxy nextcloud:80

  # Access logging
  log {
    output file /var/log/caddy/access.log {
      roll_size 10mb
      roll_keep 5
      roll_keep_for 720h
    }
    format json
  }
}

# GITLAB
gitlab.data-pro.nu {
    reverse_proxy gitlab:443 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

# SIGNALING (JANUS WS fallback)
signaling.data-pro.nu {
  encode gzip
  reverse_proxy localhost:8090
  tls info@data-pro.nu

  handle_path /janus* {
    reverse_proxy janus:8088
  }

  handle_path /ws {
    reverse_proxy janus:8188 {
      header_up Host {host}
      header_up Connection "upgrade"
      header_up Upgrade {header.Upgrade}
    }
  }

  handle {
    reverse_proxy signaling:8090
  }

  log {
    output file /var/log/caddy/signaling-access.log
    format console
  }
}


# COLLABORA
collabora.data-pro.nu {
    reverse_proxy collabora:9980
    encode gzip
    tls caddy@data-pro.nu
}


# JANUS DIRECT
janus.data-pro.nu {
  reverse_proxy janus:8188
  encode gzip
}

turn.data-pro.nu {
  tls {
    on_demand
  }
  respond "TURN server is running on UDP 3478 and TLS 5349" 200
}

# GITEA
gitea.data-pro.nu {

  # Optional but recommended: same security header set you use elsewhere
  import nextcloud_security_headers

  encode zstd gzip

  reverse_proxy gitea:3000

  log {
    output file /var/log/caddy/gitea-access.log {
      roll_size 10mb
      roll_keep 5
      roll_keep_for 720h
    }
    format json
  }

  tls caddy@data-pro.nu
}

# n8n
n8n.data-pro.nu {
  # (Optional but nice) reuse your common security headers snippet
  import nextcloud_security_headers

  # (Optional) gzip/zstd
  encode zstd gzip

  reverse_proxy n8n:5678
}