# Recommended Caddy baseline for the current homelab reverse-proxy estate.
# Source upstreams were derived from setup/nginx-to-caddy/oldconfig/*.conf.
#
# If your public suffix changes (for example sintheus.com -> privacyindesign.com),
# update the hostnames below before deployment.
{
	# DNS-01 certificates through Cloudflare.
	# Requires CF_API_TOKEN in Caddy runtime environment.
	acme_dns cloudflare {env.CF_API_TOKEN}

	# Trust private-range proxy hops in LAN environments.
	servers {
		trusted_proxies static private_ranges
		protocols h1 h2 h3
	}
}

(common_security) {
	encode zstd gzip

	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "SAMEORIGIN"
		Referrer-Policy "strict-origin-when-cross-origin"
		-Server
	}
}

(proxy_headers) {
	# Keep Nginx parity for backends that consume Host and X-Real-IP.
	header_up Host {host}
	header_up X-Real-IP {remote_host}
}

(proxy_streaming) {
	import proxy_headers
	# Flush immediately for streaming/log-tail/websocket-heavy UIs.
	flush_interval -1
}

ai.sintheus.com {
	import common_security

	request_body {
		max_size 50MB
	}

	reverse_proxy http://192.168.1.82:8181 {
		import proxy_streaming
	}
}

getter.sintheus.com {
	import common_security

	reverse_proxy http://192.168.1.3:8181 {
		import proxy_headers
	}
}

portainer.sintheus.com {
	import common_security

	reverse_proxy https://192.168.1.181:9443 {
		import proxy_headers
		transport http {
			tls_insecure_skip_verify
		}
	}
}

photos.sintheus.com {
	import common_security

	request_body {
		max_size 50GB
	}

	reverse_proxy http://192.168.1.222:2283 {
		import proxy_headers
	}
}

fin.sintheus.com {
	import common_security

	reverse_proxy http://192.168.1.233:8096 {
		import proxy_streaming
	}
}

disk.sintheus.com {
	import common_security

	request_body {
		max_size 20GB
	}

	reverse_proxy http://192.168.1.52:80 {
		import proxy_headers
	}
}

pi.sintheus.com {
	import common_security

	reverse_proxy http://192.168.1.4:80 {
		import proxy_headers
	}
}

plex.sintheus.com {
	import common_security

	reverse_proxy http://192.168.1.111:32400 {
		import proxy_streaming
	}
}

sync.sintheus.com {
	import common_security

	reverse_proxy http://192.168.1.119:8384 {
		import proxy_headers
	}
}

syno.sintheus.com {
	import common_security

	reverse_proxy https://100.108.182.16:5001 {
		import proxy_headers
		transport http {
			tls_insecure_skip_verify
		}
	}
}

tower.sintheus.com {
	import common_security

	reverse_proxy https://192.168.1.82:443 {
		import proxy_headers
		transport http {
			tls_insecure_skip_verify
		}
	}
}