# Caddyfile for pocket-id stack (base).
#
#   $POCKETID_DOMAIN   pocket-id (via anubis PoW gate)
#
# An optional WebFinger site block (Caddyfile.webfinger) is appended by
# deploy.sh when BASE_DOMAIN is set -- for the case where the base domain has
# no other web server and you want this Caddy to serve OIDC discovery too.
# Otherwise use the dedicated `webfinger` deployment.

{
    email {$ACME_EMAIL}
    # Uncomment for staging certs while testing (avoids LE rate limits):
    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

# ----------------------------------------------------------------------------
# Auth: pocket-id behind anubis
# ----------------------------------------------------------------------------
{$POCKETID_DOMAIN} {
    encode zstd gzip

    reverse_proxy anubis-pid:8923 {
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-Host {host}
    }

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        X-Frame-Options           "DENY"
        Referrer-Policy           "strict-origin-when-cross-origin"
        Permissions-Policy        "interest-cohort=()"
        -Server
    }

    log {
        output stdout
        format console
    }
}
