# Caddyfile for the kanrisha stack.
#
# Auto-issues a Let's Encrypt cert for $KANRISHA_DOMAIN and reverse-proxies to
# the Kanrisha app container.
#
# STUB: the upstream below points at the placeholder service on :80. Update the
# reverse_proxy target (service name + port) to match the real Kanrisha service
# in docker-compose.yml when you wire in part two.

{
    email {$ACME_EMAIL}
}

{$KANRISHA_DOMAIN} {
    encode zstd gzip

    reverse_proxy kanrisha:80 {   # TODO: real Kanrisha service + port
        header_up X-Real-IP {http.request.remote.host}
    }

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        Referrer-Policy           "strict-origin-when-cross-origin"
        -Server
    }

    log {
        output stdout
        format console
    }
}
