# Caddyfile for Forgejo
# Caddy automatically obtains and renews TLS certificates via Let's Encrypt

{% if forgejo_enable_letsencrypt %}
{{ forgejo_domain }} {
    # Reverse proxy to Forgejo
    reverse_proxy localhost:{{ forgejo_http_port }} {
        # WebSocket support (needed for real-time features)
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}

        # Timeouts for large Git operations
        transport http {
            read_timeout 600s
            write_timeout 600s
        }
    }

    # Security headers
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
    }

    # Request body size for large uploads (Git push, LFS)
    request_body {
        max_size 100MB
    }

    # Logging
    log {
        output file /var/log/caddy/forgejo_access.log {
            roll_size 100mb
            roll_keep 5
        }
        format json
    }

    # TLS configuration (automatic via Let's Encrypt)
    tls {{ letsencrypt_email }}
}
{% else %}
# HTTP-only configuration (not recommended for production)
:80 {
    reverse_proxy localhost:{{ forgejo_http_port }} {
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }

    request_body {
        max_size 100MB
    }

    log {
        output file /var/log/caddy/forgejo_access.log
        format json
    }
}
{% endif %}