# =============================================================================
# Caddy Configuration for Forgejo
# Automatic HTTPS with Let's Encrypt
# =============================================================================

{$FORGEJO_DOMAIN} {
    # Reverse proxy to Forgejo
    reverse_proxy forgejo:3000

    # Enable compression
    encode gzip zstd

    # Security headers
    header {
        # HSTS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Prevent clickjacking
        X-Frame-Options "SAMEORIGIN"
        # XSS protection
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
        # Referrer policy
        Referrer-Policy "strict-origin-when-cross-origin"
        # Remove server header
        -Server
    }

    # Logging
    log {
        output file /data/access.log {
            roll_size 10mb
            roll_keep 5
        }
    }
}

# HTTP to HTTPS redirect (automatic with Caddy, but explicit for clarity)
http://{$FORGEJO_DOMAIN} {
    redir https://{$FORGEJO_DOMAIN}{uri} permanent
}