# Total Recall — Caddy Reverse Proxy Configuration
#
# Deployed to /etc/caddy/Caddyfile during `npx total-recall deploy --domain <your-domain>`
#
# Recommended: Use Cloudflare Tunnel instead of Caddy for HTTPS — zero port-forwarding required.
#   Run: npx total-recall deploy --cloudflare-quick   (free temp URL, no account)
#   Or:  npx total-recall deploy --cloudflare-token <token>  (permanent custom domain)
#
# If you prefer Caddy + Let's Encrypt (VPS with open port 80):
#   1. Point a domain at your server IP (any registrar — duckdns.org is free)
#   2. Deploy with: npx total-recall deploy --domain yourdomain.com
#   3. Caddy auto-provisions a TLS cert via HTTP-01 challenge (port 80 must be open)
#   4. Your dashboard will be at https://yourdomain.com
#
# Caddy replaces YOUR_DOMAIN below with your --domain value at deploy time.

YOUR_DOMAIN {
    # Reverse proxy to Express server
    reverse_proxy 127.0.0.1:3000

    # Security headers
    header {
        -Server
        X-Content-Type-Options nosniff
        X-Frame-Options SAMEORIGIN
        Referrer-Policy strict-origin-when-cross-origin
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        Permissions-Policy "camera=(), microphone=(), geolocation=()"
        Content-Security-Policy "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; script-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"
    }

    # Logging
    log {
        output file /var/log/caddy/access.log
        format json
    }
}
