# Gitea Caddy Configuration - Rick-Infra
# Generated by Ansible Gitea role
# Deployed to {{ caddy_sites_enabled_dir }}/gitea.caddy

{{ gitea_http_domain }} {
    # Reverse proxy to Gitea
    reverse_proxy 127.0.0.1:{{ gitea_http_port }}

    # Security headers
    header {
        # Enable HSTS
        Strict-Transport-Security max-age=31536000;
        # Prevent embedding in frames
        X-Frame-Options DENY
        # Prevent content type sniffing
        X-Content-Type-Options nosniff
        # XSS protection
        X-XSS-Protection "1; mode=block"
    }

    # Logging
    log {
        output file /var/log/caddy/gitea_access.log
    }

    # Optional: Custom error pages
    handle_errors {
        respond "Git service temporarily unavailable" 503
    }
}

# Rick-Infra: Self-contained Gitea service with Caddy reverse proxy