# Caddyfile for the copyparty stack.
#
# Auto-issues a Let's Encrypt cert for $COPYPARTY_DOMAIN and reverse-proxies the
# web UI / WebDAV to copyparty on :3923. SFTP and FTPS do NOT pass through here
# -- they are published straight from the copyparty container.

{
    email {$ACME_EMAIL}
}

{$COPYPARTY_DOMAIN} {
    encode zstd gzip

    reverse_proxy copyparty:3923 {
        # Real client IP: Caddy already appends the genuine remote address to
        # X-Forwarded-For (it is the internet edge); copyparty trusts it via
        # `xff-src` in copyparty.conf. X-Real-IP is set too for good measure.
        header_up X-Real-IP {http.request.remote.host}

        # Stream uploads/downloads (no buffering) and allow long-lived large
        # transfers -- copyparty resumable uploads can run for a long time.
        # Caddy imposes no request-body size limit by default, so big uploads
        # stream straight through.
        flush_interval -1
        transport http {
            read_timeout  1h
            write_timeout 1h
        }
    }

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        Referrer-Policy           "strict-origin-when-cross-origin"
        -Server
    }

    log {
        output stdout
        format console
    }
}
