# Production Caddyfile - Uses Let's Encrypt for automatic HTTPS

# Reusable forward authentication snippet
(auth) {
    forward_auth authelia:9091 {
        uri /api/authz/forward-auth
        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-Host {host}
        header_up X-Forwarded-Uri {uri}
        header_up X-Forwarded-For {remote_host}
    }
}

# Authelia - NO forward auth (must be accessible for login)
${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN} {
    reverse_proxy authelia:9091 {
        # Pass through all headers properly
        header_up Host {upstream_hostport}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-Host {host}

        # Increase timeouts for slow connections
        transport http {
            read_timeout 60s
            write_timeout 60s
        }
    }
}

# Gitea - Uses OIDC for authentication (no forward_auth)
${GITEA_SUBDOMAIN}.${BASE_DOMAIN} {
    reverse_proxy gitea:3000
}

# JSPWiki - Protected by Authelia
${WIKI_SUBDOMAIN}.${BASE_DOMAIN} {
    import auth
    reverse_proxy jspwiki:8080
}

# lldap - Protected by Authelia (requires Authelia auth + lldap admin password)
${LLDAP_SUBDOMAIN}.${BASE_DOMAIN} {
    import auth
    reverse_proxy lldap:17170
}

# Registration - Public form, protected admin dashboard
${REGISTRATION_SUBDOMAIN}.${BASE_DOMAIN} {
    # Admin dashboard requires authentication and admin group membership
    @admin path /admin /admin/*
    handle @admin {
        import auth
        reverse_proxy registration:5000
    }

    # Public registration form (no auth required - skip forward_auth)
    handle {
        reverse_proxy registration:5000
    }
}