# Authentik Caddy Configuration - Rick-Infra
# Generated by Ansible Authentik role
# Deployed to {{ caddy_sites_enabled_dir }}/authentik.caddy

{{ authentik_full_domain }} {
    # Reverse proxy to Authentik
    reverse_proxy 127.0.0.1:{{ authentik_http_port }}

    # Security headers for authentication service
    header {
        # Enable HSTS
        Strict-Transport-Security max-age=31536000;
        # Prevent embedding in frames
        X-Frame-Options DENY
        # Prevent content type sniffing
        X-Content-Type-Options nosniff
        # XSS protection
        X-XSS-Protection "1; mode=block"
        # Referrer policy for privacy
        Referrer-Policy strict-origin-when-cross-origin
    }

    # Logging
    log {
        output file /var/log/caddy/authentik_access.log
    }

    # Optional: Custom error pages
    handle_errors {
        respond "Authentication service temporarily unavailable" 503
    }
}

# Rick-Infra: Containerized Authentik authentication service with Caddy reverse proxy