# HIY — Caddyfile
#
# Caddy automatically obtains a Let's Encrypt certificate for every domain it
# serves (HTTP-01 challenge).  No Cloudflare or DNS API token required.
#
# Requirements:
#   - Ports 80 and 443 must be publicly reachable (router port-forward to Pi)
#   - DNS A record for {$DOMAIN_SUFFIX} must point to your public IP
#   - Set ACME_EMAIL in infra/.env (Let's Encrypt needs a contact address)
#
# Local dev: set DOMAIN_SUFFIX=localhost in infra/.env — Caddy will use a
# self-signed cert automatically for localhost.

{
    # Admin API — used by hiy-server to add/remove app routes dynamically.
    # Listens on all interfaces so the server container can reach it via Docker
    # networking (http://caddy:2019). Port 2019 must NOT be port-forwarded on
    # the host or router — see docker-compose.yml.
    admin 0.0.0.0:2019

    # Email for Let's Encrypt expiry notices (set ACME_EMAIL in .env).
    email {$ACME_EMAIL:}
}

# HIY dashboard — served at your root domain.
# TLS behaviour:
#   ACME_EMAIL set   → Caddy requests a Let's Encrypt cert (production)
#   ACME_EMAIL unset → Caddy uses its built-in internal CA (local / LAN domains)
{$DOMAIN_SUFFIX:localhost} {
    tls {$ACME_EMAIL:internal}
    reverse_proxy server:3000
}

# ── Static services (not managed by HIY) ──────────────────────────────────────

# Set FORGEJO_DOMAIN in .env (e.g. git.yourdomain.com). Falls back to a
# non-routable placeholder so Caddy starts cleanly even if Forgejo isn't used.
{$FORGEJO_DOMAIN:forgejo.localhost} {
    tls {$ACME_EMAIL:internal}
    reverse_proxy forgejo:3000
}

# Deployed apps are added here dynamically by hiy-server via the Caddy API.
# Each entry looks like:
#
# myapp.{$DOMAIN_SUFFIX} {
#     reverse_proxy <container-ip>:<port>
# }