# Caddyfile for beszel stack.
#
# Auto-issues a Let's Encrypt cert for $BESZEL_DOMAIN and reverse-proxies
# to the beszel hub on :8090. Agents and the web UI both go through this.

{
    email {$ACME_EMAIL}
}

{$BESZEL_DOMAIN} {
    encode zstd gzip

    reverse_proxy beszel:8090 {
        header_up X-Real-IP {http.request.remote.host}
        # WebSocket / long-lived agent push streams.
        flush_interval -1
        transport http {
            read_timeout  10m
            write_timeout 10m
        }
    }

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        Referrer-Policy           "strict-origin-when-cross-origin"
        -Server
    }

    log {
        output stdout
        format console
    }
}
