rick-infra/roles/vaultwarden/templates/vaultwarden.caddy.j2

# Vaultwarden Password Manager
{{ vaultwarden_domain }} {
    # Notifications endpoint (WebSocket for live sync)
    @websocket {
        path /notifications/hub
    }
    reverse_proxy @websocket http://127.0.0.1:{{ vaultwarden_http_port }} {
        header_up Upgrade {http.request.header.Upgrade}
        header_up Connection {http.request.header.Connection}
    }

    # Regular HTTP traffic
    reverse_proxy http://127.0.0.1:{{ vaultwarden_http_port }} {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-Proto https
        header_up X-Forwarded-For {remote_host}
    }

    # Security headers
    header {
        X-Frame-Options SAMEORIGIN
        X-Content-Type-Options nosniff
        X-XSS-Protection "1; mode=block"
        Referrer-Policy strict-origin-when-cross-origin
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    }

    # Logging
    log {
        output file {{ caddy_log_dir }}/vaultwarden.log
        level INFO
        format json
    }
}