# scripts/platform/Caddyfile, TinyAgentOS platform LXC
#
# DNS records you must create before Caddy can issue TLS certificates.
# All four records should point to the platform LXC IP address.
# Replace <LXC-IP> with the actual IPv4 (and AAAA for IPv6) address.
#
#   Type  Name                      Value
#   ----  ------------------------  ---------
#   A     tinyagentos.com           <LXC-IP>
#   A     www.tinyagentos.com       <LXC-IP>
#   A     docs.tinyagentos.com      <LXC-IP>
#   A     tracker.tinyagentos.com   <LXC-IP>
#
# For IPv6 add matching AAAA records pointing to the LXC IPv6 address.
#
# Caddy obtains Let's Encrypt certificates automatically via HTTP-01 once
# DNS propagates. No manual certbot step is required.
#
# Future subdomains (uncomment when the relevant phase lands):
#   # app.tinyagentos.com       , phase 2: hosted TAOS controller UI
#   # desktop.tinyagentos.com   , phase 2: web desktop gateway
#   # community.tinyagentos.com , phase 3: community forum
#   # mail.tinyagentos.com      , phase 3: managed email service

{
    # Global options
    email webmaster@tinyagentos.com

    servers {
        protocols h1 h2 h3
    }
}

# Reusable security-headers snippet
(secure_headers) {
    header {
        Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
        X-Content-Type-Options    "nosniff"
        X-Frame-Options           "DENY"
        Referrer-Policy           "strict-origin-when-cross-origin"
        Permissions-Policy        "camera=(), microphone=(), geolocation=()"
        -Server
    }
}

# Reusable logging snippet
(access_log) {
    log {
        output file /var/log/caddy/access.log {
            roll_size    100mb
            roll_keep    10
            roll_keep_for 720h
        }
        format json
    }
}

# Redirect www -> apex
www.tinyagentos.com {
    import secure_headers
    import access_log
    redir https://tinyagentos.com{uri} permanent
}

# Main landing page
tinyagentos.com {
    import secure_headers
    import access_log

    root * /var/www/tinyagentos.com/public

    # Cache static assets aggressively
    @static {
        path *.css *.js *.svg *.png *.jpg *.webp *.woff2 *.ico
    }
    header @static Cache-Control "public, max-age=31536000, immutable"

    file_server

    log {
        output file /var/log/caddy/error.log {
            roll_size    50mb
            roll_keep    5
        }
        level ERROR
    }
}

# Docs site, built by CI and deployed to this directory
docs.tinyagentos.com {
    import secure_headers
    import access_log

    root * /var/www/docs.tinyagentos.com/public

    @static {
        path *.css *.js *.svg *.png *.jpg *.webp *.woff2 *.ico
    }
    header @static Cache-Control "public, max-age=86400"

    file_server {
        # mkdocs material generates clean URLs; fall back to index.html
        index index.html
    }
}

# BitTorrent tracker, proxied to opentracker on 127.0.0.1:6969
tracker.tinyagentos.com {
    import secure_headers
    import access_log

    reverse_proxy 127.0.0.1:6969
}

# --------------------------------------------------------------------------
# Future subdomains, leave these commented until the phase lands
# --------------------------------------------------------------------------

# app.tinyagentos.com {
#     # phase 2: hosted TinyAgentOS controller
#     import secure_headers
#     import access_log
#     reverse_proxy 127.0.0.1:6969
# }

# desktop.tinyagentos.com {
#     # phase 2: web desktop gateway
#     import secure_headers
#     import access_log
#     reverse_proxy 127.0.0.1:7000
# }

# community.tinyagentos.com {
#     # phase 3: community forum (Discourse or similar)
#     import secure_headers
#     import access_log
#     reverse_proxy 127.0.0.1:4567
# }

# mail.tinyagentos.com {
#     # phase 3: webmail (Roundcube or similar)
#     import secure_headers
#     import access_log
#     reverse_proxy 127.0.0.1:8080
# }
