# Caddyfile for the brass-sigil-server web panel.
#
# Caddy auto-fetches and renews a Let's Encrypt cert for your domain,
# so HTTPS just works once DNS is pointed at the server and ports 80 + 443
# are open.
#
# Prereqs:
#   1. A domain name (e.g. panel.example.com) with an A/AAAA record pointing
#      at this server's public IP. Let's Encrypt does NOT issue certs for
#      raw IPs -- you need a hostname.
#   2. Inbound 80 (for the HTTP-01 ACME challenge) and 443 (for the panel)
#      open in your firewall and in any cloud security group.
#   3. Caddy installed:
#        sudo apt install caddy            # Debian / Ubuntu
#        brew install caddy                # macOS
#        winget install CaddyServer.Caddy  # Windows
#   4. brass-sigil-server running on localhost:8080 with webHost: localhost
#      and webPassword set (use `brass-sigil-server set-password` if you
#      haven't already).
#
# Install:
#   Linux package: replace /etc/caddy/Caddyfile with this file, then
#     sudo systemctl reload caddy
#   Manual:        caddy run --config Caddyfile

panel.example.com {
    encode gzip

    reverse_proxy localhost:8080 {
        # SSE log stream uses chunked streaming responses -- Caddy must not
        # buffer them, otherwise console updates arrive in batches every minute
        # instead of in real time.
        flush_interval -1

        # Pass the real client IP through. brass-sigil-server's ForwardedHeaders
        # middleware honours this so the per-IP login rate limit partitions
        # correctly (10 attempts / minute / IP).
        header_up X-Forwarded-For {remote_host}
        header_up X-Real-IP       {remote_host}
    }

    # Sensible hardening defaults.
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        X-Frame-Options           "DENY"
        Referrer-Policy           "strict-origin-when-cross-origin"
        -Server
    }
}
