# =============================================================================
# Shared Caddy - NetBird GitOps PoC
# =============================================================================

{
  servers :80,:443 {
    protocols h1 h2c h2 h3
  }
  email {{ letsencrypt_email }}
}

(security_headers) {
    header * {
        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        X-XSS-Protection "1; mode=block"
        -Server
        Referrer-Policy strict-origin-when-cross-origin
    }
}

# =============================================================================
# Gitea
# =============================================================================
{{ gitea_domain }} {
    import security_headers
    reverse_proxy gitea:{{ gitea_http_port }}
}

# =============================================================================
# NetBird
# =============================================================================
{{ netbird_domain }} {
    import security_headers

    # Embedded IdP OAuth2 endpoints
    reverse_proxy /oauth2/* management:80
    reverse_proxy /.well-known/openid-configuration management:80
    reverse_proxy /.well-known/jwks.json management:80

    # NetBird Relay
    reverse_proxy /relay* relay:80

    # NetBird Signal (gRPC)
    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000

    # NetBird Management API (gRPC)
    reverse_proxy /management.ManagementService/* h2c://management:80

    # NetBird Management REST API
    reverse_proxy /api/* management:80

    # NetBird Dashboard (catch-all)
    reverse_proxy /* dashboard:80
}