# Caddyfile for the webfinger + redirect stack.
#
# - /.well-known/webfinger -> dynamic JRD response, echoing the queried
#   resource as `subject` and pointing OIDC discovery at $ISSUER_URL.
# - everything else -> 301 to $REDIRECT_URL (preserving path + query).
#
# To also serve www: change `{$BASE_DOMAIN}` below to
# `{$BASE_DOMAIN}, www.{$BASE_DOMAIN}`.

{
    email {$ACME_EMAIL}
    # Staging CA for testing without burning LE rate limits:
    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

{$BASE_DOMAIN} {
    encode zstd gzip

    @webfinger path /.well-known/webfinger
    handle @webfinger {
        header Content-Type "application/jrd+json"
        header Cache-Control "public, max-age=3600"
        templates
        respond `{
  "subject": "{{.Req.URL.Query.Get "resource"}}",
  "links": [
    {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "{$ISSUER_URL}"
    }
  ]
}` 200
    }

    handle {
        redir {$REDIRECT_URL}{uri} permanent
    }

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        Referrer-Policy           "strict-origin-when-cross-origin"
        -Server
    }

    log {
        output stdout
        format console
    }
}
