# Marketing-VPS Caddyfile — wird auf marketing.digiformer.eu deployt
#
# Eine Caddy-Instanz hostet alle statischen Marken-Sites über file_server.
# Per-Marke ein Block. Jede Marke hat ihren eigenen Verzeichnis-Tree unter /var/www/<domain>/.
# Forgejo Actions rsync't den Astro-Build-Output dorthin.

{
  # globale Optionen
  email pascal.oelmann@digiformer.net
  servers {
    metrics  # Prometheus-Endpoint :2019/metrics für späteres Monitoring
  }
}

# — slimcore.io —
slimcore.io, www.slimcore.io {
  root * /var/www/slimcore.io
  encode zstd gzip

  header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options nosniff
    Referrer-Policy strict-origin-when-cross-origin
    Permissions-Policy "interest-cohort=()"
    -Server
  }

  # Astro generiert echte HTML-Files für jede Route, kein SPA-Fallback nötig
  # /index.html, /en/index.html, /module/index.html, /en/module/index.html, etc.
  file_server

  # Sitemap, robots.txt, OG-Image direkt aus dem Root
  @static_root path /sitemap-*.xml /robots.txt /favicon.svg /og-default.png
  handle @static_root {
    file_server
  }

  # Cache-Header pro Asset-Typ
  @assets path /_astro/* /fonts/*
  handle @assets {
    header Cache-Control "public, max-age=31536000, immutable"
  }

  @html path *.html /
  handle @html {
    header Cache-Control "public, max-age=300, must-revalidate"
  }

  # Redirects — sollten in Astro-Site selbst leben, aber als Sicherheits-Netz hier
  redir /home / permanent
  redir /index / permanent

  log {
    output file /var/log/caddy/slimcore.io.log {
      roll_size 100MiB
      roll_keep 14
    }
    format json
  }
}

# — digiformer.eu — (sobald migriert)
digiformer.eu, www.digiformer.eu {
  root * /var/www/digiformer.eu
  encode zstd gzip
  header Strict-Transport-Security "max-age=31536000; includeSubDomains"
  file_server
  log {
    output file /var/log/caddy/digiformer.eu.log
  }
}

# — slimsafe.io — (sobald Marketing-Site existiert)
slimsafe.io, www.slimsafe.io {
  root * /var/www/slimsafe.io
  encode zstd gzip
  header Strict-Transport-Security "max-age=31536000"
  file_server
  log {
    output file /var/log/caddy/slimsafe.io.log
  }
}

# — fonboard.io — (sobald Marketing-Site existiert)
fonboard.io, www.fonboard.io {
  root * /var/www/fonboard.io
  encode zstd gzip
  header Strict-Transport-Security "max-age=31536000"
  file_server
  log {
    output file /var/log/caddy/fonboard.io.log
  }
}

# — Status-Page (intern, basicauth-geschützt) —
status.digiformer.eu {
  reverse_proxy 127.0.0.1:3001
  basicauth {
    # caddy hash-password generiert den bcrypt-Hash
    # echtes Passwort beim Setup setzen
    pascal $2a$14$REPLACE_WITH_BCRYPT_HASH
  }
}

# Catch-all — unbekannte Hostnames bekommen 404, kein Default-Server
:80 {
  respond "Not Found" 404
}

:443 {
  respond "Not Found" 404
}