# =============================================================================
# NetBird v1.6 Caddyfile - SSL Mode with Public IP (Self-Signed)
# =============================================================================
# Uses Caddy's internal CA to generate self-signed certificates for IP access.
# Note: Let's Encrypt IP certificates are supported but Caddy's implementation
# is incomplete (issue #7399). Using self-signed as reliable fallback.

{
  servers :80,:443 {
    protocols h1 h2c h2
  }
  # Required for IP-based TLS - clients don't send SNI for IP addresses
  # Docker networking makes Caddy see internal IPs, so we need default_sni
  default_sni {{ netbird_domain }}
}

(security_headers) {
    header * {
        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        X-XSS-Protection "1; mode=block"
        -Server
        Referrer-Policy strict-origin-when-cross-origin
    }
}

:80 {
    # Redirect HTTP to HTTPS
    redir https://{host}{uri} permanent
}

# Bind to IP address explicitly so Caddy knows what certificate to generate
https://{{ netbird_domain }} {
    # Use Caddy's internal CA for self-signed certificate
    tls internal {
        protocols tls1.2 tls1.3
    }

    import security_headers

    # Embedded IdP OAuth2 endpoints
    reverse_proxy /oauth2/* management:80
    reverse_proxy /.well-known/openid-configuration management:80
    reverse_proxy /.well-known/jwks.json management:80

    # NetBird Relay
    reverse_proxy /relay* relay:80

    # NetBird Signal (gRPC)
    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000

    # NetBird Management API (gRPC)
    reverse_proxy /management.ManagementService/* h2c://management:80

    # NetBird Management REST API
    reverse_proxy /api/* management:80

    # NetBird Dashboard (catch-all)
    reverse_proxy /* dashboard:80
}