{
    # Global options - works for both environments
    email {$LETSENCRYPT_EMAIL}
}

# Import TLS snippet (must be before service blocks)
# Default: Let's Encrypt automatic certificates
# Custom: Run 'make setup-tls' to use your own certificates
import /etc/caddy/addons/tls-snippet.conf

# Appsmith
{$APPSMITH_HOSTNAME} {
    import service_tls
    reverse_proxy appsmith:80
}

# N8N
{$N8N_HOSTNAME} {
    import service_tls
    reverse_proxy n8n:5678
}

# Open WebUI
{$WEBUI_HOSTNAME} {
    import service_tls
    reverse_proxy open-webui:8080
}

# Flowise
{$FLOWISE_HOSTNAME} {
    import service_tls
    reverse_proxy flowise:3001
}

# Dify
{$DIFY_HOSTNAME} {
    import service_tls
    reverse_proxy nginx:80
}

# RAGApp
{$RAGAPP_HOSTNAME} {
    import service_tls
    basic_auth {
        {$RAGAPP_USERNAME} {$RAGAPP_PASSWORD_HASH}
    }
    reverse_proxy ragapp:8000
}

# RAGFlow
{$RAGFLOW_HOSTNAME} {
    import service_tls
    reverse_proxy ragflow:80
}

# Langfuse
{$LANGFUSE_HOSTNAME} {
    import service_tls
    reverse_proxy langfuse-web:3000
}

# Supabase
{$SUPABASE_HOSTNAME} {
    import service_tls
    reverse_proxy kong:8000
}

# Grafana
{$GRAFANA_HOSTNAME} {
    import service_tls
    reverse_proxy grafana:3000
}

# WAHA (WhatsApp HTTP API)
{$WAHA_HOSTNAME} {
    import service_tls
    reverse_proxy waha:3000
}

# Prometheus
{$PROMETHEUS_HOSTNAME} {
    import service_tls
    basic_auth {
        {$PROMETHEUS_USERNAME} {$PROMETHEUS_PASSWORD_HASH}
    }
    reverse_proxy prometheus:9090
}

# Portainer
{$PORTAINER_HOSTNAME} {
    import service_tls
    reverse_proxy portainer:9000
}

# Postiz
{$POSTIZ_HOSTNAME} {
    import service_tls
    reverse_proxy postiz:5000
}

# Temporal UI (workflow orchestration for Postiz)
{$TEMPORAL_UI_HOSTNAME} {
    import service_tls
    basic_auth {
        {$TEMPORAL_UI_USERNAME} {$TEMPORAL_UI_PASSWORD_HASH}
    }
    reverse_proxy temporal-ui:8080
}

# Uptime Kuma
{$UPTIME_KUMA_HOSTNAME} {
    import service_tls
    reverse_proxy uptime-kuma:3001
}

# Databasus
{$DATABASUS_HOSTNAME} {
    import service_tls
    reverse_proxy databasus:4005
}

# Letta
{$LETTA_HOSTNAME} {
    import service_tls
    reverse_proxy letta:8283
}

# LightRAG (Graph-based RAG with Knowledge Extraction)
{$LIGHTRAG_HOSTNAME} {
    import service_tls
    reverse_proxy lightrag:9621
}

# Weaviate
{$WEAVIATE_HOSTNAME} {
    import service_tls
    reverse_proxy weaviate:8080
}

# Qdrant
{$QDRANT_HOSTNAME} {
    import service_tls
    reverse_proxy qdrant:6333
}

# ComfyUI
{$COMFYUI_HOSTNAME} {
    import service_tls
    basic_auth {
        {$COMFYUI_USERNAME} {$COMFYUI_PASSWORD_HASH}
    }
    reverse_proxy comfyui:8188
}

# LibreTranslate (Self-hosted Translation API)
{$LT_HOSTNAME} {
    import service_tls
    basic_auth {
        {$LT_USERNAME} {$LT_PASSWORD_HASH}
    }
    reverse_proxy libretranslate:5000
}

# Neo4j
{$NEO4J_HOSTNAME} {
    import service_tls
    reverse_proxy neo4j:7474
}

# Neo4j Bolt Protocol (wss)
https://{$NEO4J_HOSTNAME}:7687 {
    import service_tls
    reverse_proxy neo4j:7687
}

# NocoDB
{$NOCODB_HOSTNAME} {
    import service_tls
    reverse_proxy nocodb:8080
}

# PaddleOCR (PaddleX Basic Serving)
{$PADDLEOCR_HOSTNAME} {
    import service_tls
    basic_auth {
        {$PADDLEOCR_USERNAME} {$PADDLEOCR_PASSWORD_HASH}
    }
    reverse_proxy paddleocr:8080
}

# Docling (Document Conversion API)
{$DOCLING_HOSTNAME} {
    import service_tls
    basic_auth {
        {$DOCLING_USERNAME} {$DOCLING_PASSWORD_HASH}
    }
    reverse_proxy docling:5001
}

# Welcome Page (Post-install dashboard)
# HTTP block for Cloudflare Tunnel access (prevents redirect loop)
http://{$WELCOME_HOSTNAME} {
    basic_auth {
        {$WELCOME_USERNAME} {$WELCOME_PASSWORD_HASH}
    }
    root * /srv/welcome
    file_server
    try_files {path} /index.html
}

# HTTPS block for direct access
{$WELCOME_HOSTNAME} {
    import service_tls
    basic_auth {
        {$WELCOME_USERNAME} {$WELCOME_PASSWORD_HASH}
    }
    root * /srv/welcome
    file_server
    try_files {path} /index.html
}

# Import custom site addons
import /etc/caddy/addons/site-*.conf

# SearXNG
{$SEARXNG_HOSTNAME} {
    import service_tls
    @protected not remote_ip 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 100.64.0.0/10

    basic_auth @protected {
        {$SEARXNG_USERNAME} {$SEARXNG_PASSWORD_HASH}
    }

    encode zstd gzip
    
    @api {
        path /config
        path /healthz
        path /stats/errors
        path /stats/checker
    }
    @search {
        path /search
    }
    @imageproxy {
        path /image_proxy
    }
    @static {
        path /static/*
    }
    
    header {
        # CSP (https://content-security-policy.com)
        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src * data:; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com;"
        # Disable some browser features
        Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()"
        # Set referrer policy
        Referrer-Policy "no-referrer"
        # Force clients to use HTTPS
        Strict-Transport-Security "max-age=31536000"
        # Prevent MIME type sniffing from the declared Content-Type
        X-Content-Type-Options "nosniff"
        # X-Robots-Tag (comment to allow site indexing)
        X-Robots-Tag "noindex, noarchive, nofollow"
        # Remove "Server" header
        -Server
    }
    
    header @api {
        Access-Control-Allow-Methods "GET, OPTIONS"
        Access-Control-Allow-Origin "*"
    }
    
    route {
        # Cache policy
        header Cache-Control "max-age=0, no-store"
        header @search Cache-Control "max-age=5, private"
        header @imageproxy Cache-Control "max-age=604800, public"
        header @static Cache-Control "max-age=31536000, public, immutable"
    }
    
    # SearXNG (uWSGI)
    reverse_proxy searxng:8080 {
        header_up X-Forwarded-Port {http.request.port}
        header_up X-Real-IP {http.request.remote.host}
        # https://github.com/searx/searx-docker/issues/24
        header_up Connection "close"
    }
}
