# Caddyfile for reverse proxy with automatic SSL
{
    # Email for Let's Encrypt notifications
    email {$EMAIL:-admin@example.com}
}

# Main website
{$DOMAIN:-localhost} {
    # Reverse proxy to website container
    reverse_proxy website:3000
    
    # Security headers
    header {
        # Enable HSTS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Prevent clickjacking
        X-Frame-Options "SAMEORIGIN"
        # Prevent MIME sniffing
        X-Content-Type-Options "nosniff"
        # XSS protection
        X-XSS-Protection "1; mode=block"
        # Remove server info
        Server "mintel"
    }
    
    # Logging
    log {
        output file /var/log/caddy/access.log
        format json
    }
    
    # Compression
    encode zstd gzip
}

# Analytics subdomain (if using your existing Plausible)
analytics.{$DOMAIN:-localhost} {
    # Point to your existing Plausible instance
    # Replace with your Plausible server IP/domain
    reverse_proxy http://YOUR_PLAUSIBLE_SERVER:8000
    
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
    }
}