dotfiles_arch/ansible/roles/caddy/templates/Caddyfile.j2

# Caddyfile - Generated by Ansible
# Domain: {{ domain }}

# Global options
{
    email {{ user_email }}
}

# ===== PUBLIC SERVICES =====

# Nextcloud
{{ subdomain_nextcloud }}.{{ domain }} {
    reverse_proxy next:80
    
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options nosniff
        X-Frame-Options SAMEORIGIN
        Referrer-Policy no-referrer
        X-XSS-Protection "1; mode=block"
        -Server
    }
    
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
    redir /.well-known/webfinger /index.php/.well-known/webfinger 301
    redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
    
    request_body {
        max_size 10GB
    }
}

# OnlyOffice Document Server
{{ subdomain_office }}.{{ domain }} {
    reverse_proxy onlyoffice:80
    
    request_body {
        max_size 100MB
    }
    
    header {
        Strict-Transport-Security "max-age=31536000"
        -Server
    }
}

# Excalidraw
{{ subdomain_draw }}.{{ domain }} {
    reverse_proxy excalidraw:80
    
    header {
        Strict-Transport-Security "max-age=31536000"
        -Server
    }
}

# Obsidian
{{ subdomain_notes }}.{{ domain }} {
    reverse_proxy obsidian:3000
    
    header {
        Strict-Transport-Security "max-age=31536000"
        -Server
    }
}

# ===== TAILSCALE-ONLY SERVICES =====

# Homarr Dashboard
{{ subdomain_homarr }}.{{ domain }} {
    @tailscale {
        remote_ip 100.64.0.0/10
    }
    
    handle @tailscale {
        reverse_proxy homarr:7575
    }
    
    handle {
        respond "Access Denied - Tailscale Required" 403
        abort
    }
}

# Dockhand Container Manager
{{ subdomain_dockhand }}.{{ domain }} {
    @tailscale {
        remote_ip 100.64.0.0/10
    }
    
    handle @tailscale {
        reverse_proxy dockhand:3000
    }
    
    handle {
        respond "Access Denied - Tailscale Required" 403
        abort
    }
}

# Uptime Kuma Monitoring
{{ subdomain_uptime }}.{{ domain }} {
    @tailscale {
        remote_ip 100.64.0.0/10
    }
    
    handle @tailscale {
        reverse_proxy uptime-kuma:3001
    }
    
    handle {
        respond "Access Denied - Tailscale Required" 403
        abort
    }
}

{% if enable_public_status %}
# Public Status Page
status.{{ domain }} {
    reverse_proxy uptime-kuma:3001/status
    
    header {
        Strict-Transport-Security "max-age=31536000"
        -Server
    }
}
{% endif %}