# Caddy Configuration for Homelab
# Location: /srv/docker/caddy/Caddyfile
# Last Updated: April 29, 2026

# ============================================================================
# Kopia Web UI - HTTPS Reverse Proxy
# ============================================================================
kopia.jgitta.com {
    # Reverse proxy to Kopia Web UI running on localhost:51515
    reverse_proxy 127.0.0.1:51515 {
        # Pass original headers for proper proxying
        header_upstream X-Forwarded-Proto {scheme}
        header_upstream X-Forwarded-Host {http.request.host}
        header_upstream X-Forwarded-For {http.request.remote.host}

        # WebSocket support (Kopia uses WebSockets for real-time updates)
        header_upstream Connection {http.request.header.Connection}
        header_upstream Upgrade {http.request.header.Upgrade}

        # Timeout settings for backup operations (which can be slow)
        timeout 300s
    }

    # Security headers
    header {
        # Prevent MIME type sniffing
        X-Content-Type-Options "nosniff"

        # Clickjacking protection
        X-Frame-Options "SAMEORIGIN"

        # XSS protection
        X-XSS-Protection "1; mode=block"

        # HTTPS enforcement (HSTS)
        # max-age: 1 year, includeSubDomains: apply to subdomains
        Strict-Transport-Security "max-age=31536000; includeSubDomains"

        # Content Security Policy (basic)
        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"

        # Referrer policy
        Referrer-Policy "strict-origin-when-cross-origin"

        # Permissions policy
        Permissions-Policy "geolocation=(), microphone=(), camera=()"
    }

    # Logging
    log {
        output stdout
        format json
    }

    # Enable TLS (automatic, self-signed for internal use)
    tls internal
}

# ============================================================================
# HTTP to HTTPS Redirect
# ============================================================================
http://kopia.jgitta.com {
    # Redirect all HTTP traffic to HTTPS
    redir https://kopia.jgitta.com{uri} permanent
}

# ============================================================================
# Portainer - Docker Management UI on siklos
# ============================================================================
portainer.jgitta.com {
    # Reverse proxy to Portainer on siklos (HTTP port — Caddy handles TLS)
    reverse_proxy 192.168.88.27:9000 {
        header_upstream X-Forwarded-Proto {scheme}
        header_upstream X-Forwarded-Host {http.request.host}
        header_upstream X-Forwarded-For {http.request.remote.host}
    }

    # Security headers
    header {
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        X-XSS-Protection "1; mode=block"
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        Referrer-Policy "strict-origin-when-cross-origin"
    }

    log {
        output stdout
        format json
    }

    tls internal
}

http://portainer.jgitta.com {
    redir https://portainer.jgitta.com{uri} permanent
}
