# Nextcloud Cloud Storage Service
# Caddy reverse proxy to FPM container with FastCGI transport
# Based on official Caddy php_fastcgi Docker example and Nextcloud NGINX config
{{ nextcloud_domain }} {
    # Caddy root - host path where static files exist for serving
    # This allows Caddy to find files to serve directly (CSS, JS, images)
    root * {{ nextcloud_html_dir }}

    # .well-known redirects for CalDAV/CardDAV (must be before php_fastcgi)
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
    
    # Handle .well-known requests that aren't explicitly redirected above
    # Let Nextcloud's API handle all other /.well-known/* URIs
    redir /.well-known/* /index.php{uri} 301

    # Block access to sensitive directories (adapted from NGINX config)
    # Match both the directory itself and anything under it
    @forbidden {
        path /build /build/*
        path /tests /tests/*
        path /config /config/*
        path /lib /lib/*
        path /3rdparty /3rdparty/*
        path /templates /templates/*
        path /data /data/*
        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
    }
    respond @forbidden 404

    # PHP-FPM with container root for SCRIPT_FILENAME
    # The nested 'root' directive tells FPM where files are in the container
    # Per official Caddy docs: https://caddyserver.com/docs/caddyfile/directives/php_fastcgi
    php_fastcgi 127.0.0.1:{{ nextcloud_fpm_port }} {
        root /var/www/html
        env front_controller_active true
        env modHeadersAvailable true
    }
    
    # Serve static files directly (CSS, JS, images, fonts, etc.)
    # Disable index serving to let php_fastcgi handle / and /index.php
    # This prevents index.html from being served instead of routing to index.php
    file_server {
        index off
    }

    # Security headers (adapted from Nextcloud NGINX config)
    header {
        # HSTS with preload
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Prevent embedding in frames from other origins
        X-Frame-Options "SAMEORIGIN"
        # Prevent MIME type sniffing
        X-Content-Type-Options "nosniff"
        # XSS protection
        X-XSS-Protection "1; mode=block"
        # Referrer policy
        Referrer-Policy "no-referrer"
        # Disable FLoC tracking
        Permissions-Policy "interest-cohort=()"
        # Remove server header
        -Server
    }

    # Logging
    log {
        output file {{ caddy_log_dir }}/nextcloud.log
        level INFO
        format json
    }
}