# FlatRender V2 — Caddy reverse proxy
#
# Domains are injected via environment variables so this file is environment-agnostic.
# Set in .env.v2:
#   DOMAIN          e.g.  flatrender.io          (→ https://flatrender.io)
#   API_DOMAIN      e.g.  api.flatrender.io       (→ https://api.flatrender.io)
#   STORAGE_DOMAIN  e.g.  storage.flatrender.io   (→ https://storage.flatrender.io)
#
# Caddy auto-provisions Let's Encrypt TLS for all three. For local dev without
# real domains, replace with http:// blocks and remove the ACME config.

{env.DOMAIN} {
    # Frontend (Next.js standalone, port 3000 inside Docker)
    reverse_proxy frontend:3000

    # Security headers
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        X-Frame-Options           "SAMEORIGIN"
        Referrer-Policy           "strict-origin-when-cross-origin"
        -Server
    }

    encode gzip
}

{env.API_DOMAIN} {
    # V2 API gateway (port 8080 inside Docker)
    reverse_proxy gateway:8080

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        -Server
    }

    # Allow large body for file uploads routed through the gateway
    request_body {
        max_size 512MB
    }
}

{env.STORAGE_DOMAIN} {
    # MinIO S3 API (port 9000 inside Docker) — used for presigned URL downloads
    reverse_proxy minio:9000

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        -Server
    }

    # Pre-flight (CORS) passthrough — MinIO handles its own CORS headers
    @options method OPTIONS
    respond @options 204
}