# Caddy reverse proxy in front of the Int Leptos app.
#
# Caddy listens on :80 (auto-redirects to :443 + serves ACME-HTTP-01)
# and :443 (TLS-terminated HTTPS), enforces HTTP Basic Auth, and
# forwards authenticated requests to the local axum server bound at
# 127.0.0.1:8080. The app is no longer publicly bound.
#
# Adding a user:
#   1. Run `caddy hash-password` on a machine that has caddy installed
#      (or `docker run --rm -it caddy:latest caddy hash-password`).
#      Enter the chosen password twice; copy the resulting `$2a$...`
#      bcrypt hash.
#   2. Add a new line under `basicauth /*` in this file with format:
#        `<username> <bcrypt-hash>`
#   3. PR + merge. To activate on the runner, either re-run
#      `bootstrap-host.sh --role int` (idempotent) or scp the file and
#      run `systemctl reload caddy`.
#
# Removing a user:
#   Delete the line and follow the activation step above.

frunner.duckdns.org {
    # Users live here. Replace the placeholder hash with real bcrypt
    # output before deploying. Caddy refuses to start if the hash is
    # malformed, so the placeholder must be replaced.
    basic_auth /* {
        hobby $2a$14$KDkCM5R/F9.DEHk5GKxnE.lY/F.eVwpblht0VfodLlaHvwtwiXRam
    }

    reverse_proxy 127.0.0.1:8080

    # Caddy's defaults already do automatic_https on the named host
    # (LE on :443, redirect from :80) — no extra directive needed.
    #
    # NOTE: LE's CAA lookup against the duckdns.org zone occasionally
    # times out because DuckDNS's nameservers drop the query under
    # load. Caddy retries with exponential backoff and usually
    # succeeds within ~5 minutes. If LE issuance is consistently
    # failing on renewal, add a ZeroSSL fallback issuer (the Forgejo
    # box at forgit.duckdns.org uses this pattern); requires an EAB
    # credential which Caddy can mint via `caddy adapt` on first use.

    # Modest log retention; Caddy's defaults log to stderr/journal.
    # If we ever want structured access logs on disk, add:
    #   log {
    #     output file /var/log/caddy/access.log
    #     format json
    #   }
}
