# Legate Agent — production reverse proxy with automatic TLS.
#
# Set DOMAIN in the environment (e.g. app.example.com). Caddy provisions and
# renews Let's Encrypt certificates automatically. The dashboard is served at /
# and the API under /api (WebSocket upgrades are proxied transparently).
#
# Configure the stack accordingly:
#   NEXT_PUBLIC_API_BASE_URL = https://$DOMAIN/api
#   CORS_ORIGINS             = https://$DOMAIN
#   API_BASE_URL             = https://$DOMAIN/api

{$DOMAIN} {
	encode gzip zstd

	# API (REST + WebSocket) under /api.
	handle_path /api/* {
		reverse_proxy api:8000
	}

	# Everything else is the Next.js dashboard.
	handle {
		reverse_proxy web:3000
	}

	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "DENY"
		Referrer-Policy "strict-origin-when-cross-origin"
	}
}
