familienarchiv/infra/caddy/Caddyfile

# Caddyfile for the Familienarchiv host.
#
# Caddy runs on the host (not in a container) and reverse-proxies into
# the docker compose stacks bound to 127.0.0.1.
#
# Naming convention for ports (also documented in docker-compose.prod.yml):
#   production: backend 8080, frontend 3000
#   staging:    backend 8081, frontend 3001
#   gitea:      3005
#
# Security headers and the /actuator block apply to both archive vhosts.
# X-Frame-Options is deliberately NOT set here: Spring Security configures
# frame-options SAMEORIGIN (for the in-app PDF preview iframe). Setting
# DENY in Caddy would conflict.

(security_headers) {
	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "strict-origin-when-cross-origin"
		-Server
	}
}

(block_actuator) {
	# Defense in depth: even if management.endpoints.web.exposure.include grows
	# in application.yaml, /actuator/* is unreachable externally. The internal
	# Prometheus scrape (future) talks to the backend directly on the docker
	# network, not via Caddy.
	@actuator path /actuator/*
	respond @actuator 404
}

(access_log) {
	# JSON access log for fail2ban. The jail at infra/fail2ban/familienarchiv.conf
	# watches this file for 401 responses on /api/auth/login.
	# Caddy auto-creates /var/log/caddy/ when running as the `caddy` system user.
	log {
		output file /var/log/caddy/access.log {
			roll_size 10mb
			roll_keep 14
		}
		format json
	}
}

archiv.raddatz.cloud {
	import security_headers
	import block_actuator
	import access_log

	handle /api/* {
		reverse_proxy 127.0.0.1:8080
	}

	handle {
		reverse_proxy 127.0.0.1:3000
	}
}

staging.raddatz.cloud {
	import security_headers
	import block_actuator
	import access_log

	handle /api/* {
		reverse_proxy 127.0.0.1:8081
	}

	handle {
		reverse_proxy 127.0.0.1:3001
	}
}

git.raddatz.cloud {
	import security_headers
	reverse_proxy 127.0.0.1:3005
}