# Caddyfile for headscale stack.
#
# Auto-issues a Let's Encrypt cert for $HEADSCALE_DOMAIN and reverse-proxies
# to headscale's HTTP listener on :8080. Tailscale clients require this
# exact hostname over HTTPS.

{
    email {$ACME_EMAIL}
}

{$HEADSCALE_DOMAIN} {
    encode zstd gzip

    # Headplane web UI lives at /admin. Pass the path through unchanged
    # (headplane serves itself under /admin). Everything else is headscale's
    # control protocol.
    @admin path /admin /admin/*
    handle @admin {
        reverse_proxy headplane:3000
    }

    handle {
        reverse_proxy headscale:8080 {
            header_up X-Real-IP {http.request.remote.host}
            # Long-lived noise/wireguard control streams; lift the default
            # idle limit so they don't get torn down.
            flush_interval -1
            transport http {
                read_timeout  10m
                write_timeout 10m
            }
        }
    }

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        Referrer-Policy           "strict-origin-when-cross-origin"
        -Server
    }

    log {
        output stdout
        format console
    }
}
