# HIY — Caddyfile
#
# Caddy automatically obtains a Let's Encrypt certificate for every domain it
# serves (HTTP-01 challenge).  No Cloudflare or DNS API token required.
#
# Requirements:
#   - Ports 80 and 443 must be publicly reachable (router port-forward to Pi)
#   - DNS A record for {$DOMAIN_SUFFIX} must point to your public IP
#   - Set ACME_EMAIL in infra/.env (Let's Encrypt needs a contact address)
#
# Local dev: set DOMAIN_SUFFIX=localhost in infra/.env — Caddy will use a
# self-signed cert automatically for localhost.

{
    # Admin API — used by hiy-server to add/remove app routes dynamically.
    admin 0.0.0.0:2019

    # Contact email for Let's Encrypt expiry notices.
    email {$ACME_EMAIL}
}

# HIY dashboard — served at your root domain.
{$DOMAIN_SUFFIX} {
    reverse_proxy server:3000
}

# Deployed apps are added here dynamically by hiy-server via the Caddy API.
# Each entry looks like:
#
# myapp.{$DOMAIN_SUFFIX} {
#     reverse_proxy <container-ip>:<port>
# }