# Caddy config for blamejs.com — automatic Let's Encrypt TLS,
# reverse-proxy to the wiki container on the docker-compose network.
#
# Caddy issues + renews certificates automatically. The operator only
# needs to point blamejs.com A/AAAA records at the host running this.

blamejs.com, www.blamejs.com {
	# Canonicalize www.* → apex.
	@www host www.blamejs.com
	redir @www https://blamejs.com{uri} 308

	encode zstd gzip

	# Pass through to the wiki container by service name on the
	# compose network (Caddy resolves "wiki" to the container).
	# Caddy reads {$WIKI_PORT} from its own environment at config-load
	# time. The prod compose passes WIKI_PORT through to BOTH the wiki
	# and caddy services so an operator who overrides WIKI_PORT in
	# `.env` gets a consistent upstream — without this, an operator
	# carrying WIKI_PORT=8080 from a pre-v0.11.40 deploy would have
	# the wiki listening on 8080 while Caddy forwarded to the new
	# default, surfacing as 502s on the public site.
	reverse_proxy wiki:{$WIKI_PORT:3008} {
		# Forward the original scheme so the wiki's CORS same-origin
		# detection trusts X-Forwarded-Proto: https.
		header_up X-Forwarded-Proto https
		header_up X-Forwarded-For {remote_host}
	}

	# Caddy applies sensible TLS defaults; pin to 1.3 floor explicitly.
	tls {
		protocols tls1.3
	}

	# Log to stdout so Docker captures it.
	log {
		output stdout
		format json
	}
}
