# Caddy configuration for Opal Task Manager
# Copy to /etc/caddy/Caddyfile and customize

opal.example.com {
	# Root directory for static PWA build
	root * /var/www/opal
	
	# API reverse proxy - strip /api prefix before forwarding
	handle /api/* {
		uri strip_prefix /api
		reverse_proxy localhost:8080 {
			# Optional: custom headers
			header_up X-Real-IP {remote_host}
			header_up X-Forwarded-Proto {scheme}
		}
	}
	
	# Static file serving with SPA fallback
	handle {
		# Try to serve static file, fallback to index.html for client-side routing
		try_files {path} /index.html
		file_server
	}
	
	# Security headers
	header {
		# Force HTTPS
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		
		# Prevent clickjacking
		X-Frame-Options "SAMEORIGIN"
		
		# XSS protection
		X-Content-Type-Options "nosniff"
		
		# Content Security Policy (adjust as needed)
		Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' https://auth.example.com; font-src 'self';"
		
		# Remove server info
		-Server
	}
	
	# Logging
	log {
		output file /var/log/caddy/opal.log {
			roll_size 10MB
			roll_keep 5
		}
		format json
	}
	
	# Compression
	encode gzip zstd
	
	# Rate limiting (optional)
	# rate_limit {
	#     zone opal {
	#         key {remote_host}
	#         events 100
	#         window 1m
	#     }
	# }
}