infra/caddy/Caddyfile

@@ -0,0 +1,63 @@
+# Caddyfile for the Familienarchiv host.
+#
+# Caddy runs on the host (not in a container) and reverse-proxies into
+# the docker compose stacks bound to 127.0.0.1.
+#
+# Naming convention for ports (also documented in docker-compose.prod.yml):
+#   production: backend 8080, frontend 3000
+#   staging:    backend 8081, frontend 3001
+#   gitea:      3005
+#
+# Security headers and the /actuator block apply to both archive vhosts.
+# X-Frame-Options is deliberately NOT set here: Spring Security configures
+# frame-options SAMEORIGIN (for the in-app PDF preview iframe). Setting
+# DENY in Caddy would conflict.
+
+(security_headers) {
+	header {
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+		X-Content-Type-Options "nosniff"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		-Server
+	}
+}
+
+(block_actuator) {
+	# Defense in depth: even if management.endpoints.web.exposure.include grows
+	# in application.yaml, /actuator/* is unreachable externally. The internal
+	# Prometheus scrape (future) talks to the backend directly on the docker
+	# network, not via Caddy.
+	@actuator path /actuator/*
+	respond @actuator 404
+}
+
+archiv.raddatz.cloud {
+	import security_headers
+	import block_actuator
+
+	handle /api/* {
+		reverse_proxy 127.0.0.1:8080
+	}
+
+	handle {
+		reverse_proxy 127.0.0.1:3000
+	}
+}
+
+staging.raddatz.cloud {
+	import security_headers
+	import block_actuator
+
+	handle /api/* {
+		reverse_proxy 127.0.0.1:8081
+	}
+
+	handle {
+		reverse_proxy 127.0.0.1:3001
+	}
+}
+
+git.raddatz.cloud {
+	import security_headers
+	reverse_proxy 127.0.0.1:3005
+}