# Caddyfile — rendered by phase8_cutover.sh
# TLS_BLOCK is replaced by the phase script based on TLS_MODE:
#   cloudflare → dns cloudflare {env.CF_API_TOKEN}
#   existing   → tls /path/to/cert /path/to/key
# Wildcard cert covers *.CADDY_DOMAIN; @gitea routes GITEA_DOMAIN to Gitea.

*.${CADDY_DOMAIN} {
${TLS_BLOCK}

    @gitea host ${GITEA_DOMAIN}
    handle @gitea {
        reverse_proxy ${GITEA_CONTAINER_IP}:3000
    }

    handle {
        respond "Service not configured" 404
    }
}