# =============================================================================
# locopuente reverse proxy — Caddy
# =============================================================================
# Config-as-code replacement for nginx-proxy-manager. Automatic TLS via
# Let's Encrypt (HTTP-01). Secrets come from the environment (see .env.example),
# never hard-coded here, so this file is safe to commit.
#
# Auth policy:
#   * UI, no built-in accounts  -> basic_auth  (users defined once, reused)
#   * API only                  -> bearer token (matcher + 401)
#   * App has its own accounts   -> no proxy auth
#
# Backends live on the Docker host's LAN at 192.168.20.120 (+ .3 for serveur.au).
# Reload after edits:  docker exec loco-caddy caddy reload --config /etc/caddy/Caddyfile
# =============================================================================
{
	# Global options
	email michael.borck@curtin.edu.au
	# admin endpoint stays on loopback inside the container (default)
}

# ---- reusable snippets ------------------------------------------------------

# Basic Auth for UI tools with no built-in login. The `swarm` hash is a bcrypt
# of the existing shared password; add more users as `name hash` lines.
(ui_auth) {
	basic_auth {
		swarm {$SWARM_BCRYPT}
	}
}

# Bearer-token gate for API-only hosts. Pass the expected token as an arg:
#   import api_auth {$SOME_TOKEN}
(api_auth) {
	@unauthorized not header Authorization "Bearer {args[0]}"
	respond @unauthorized 401
}

# =============================================================================
# UI hosts — HTTP Basic Auth (policy: UI without accounts)
# =============================================================================

image.locopuente.org {
	import ui_auth
	reverse_proxy 192.168.20.120:7801
}

audio.locopuente.org {
	import ui_auth
	reverse_proxy 192.168.20.120:7860
}

musicgen.locopuente.org {
	import ui_auth
	reverse_proxy 192.168.20.120:7860
}

fooocus.locopuente.org {
	import ui_auth
	reverse_proxy 192.168.20.120:7865
}

notes.locopuente.org {
	import ui_auth
	reverse_proxy 192.168.20.120:8502
}

search.locopuente.org {
	import ui_auth
	reverse_proxy 192.168.20.120:3005
}

cite.locopuente.org {
	import ui_auth
	reverse_proxy 192.168.20.120:3010
}

whiteboard.locopuente.org {
	import ui_auth
	reverse_proxy 192.168.20.120:3333
}

pdf.locopuente.org {
	import ui_auth
	reverse_proxy 192.168.20.120:8089
}

# boxes.borck.dev used a separate user list (callum/michael) in NPM.
# Those were apr1-hashed and could not be converted; set a fresh bcrypt
# password below (see BOXES_BCRYPT in .env.example) before enabling.
boxes.borck.dev {
	basic_auth {
		michael {$BOXES_BCRYPT}
	}
	reverse_proxy 192.168.20.120:8077
}

# =============================================================================
# API hosts — Bearer token (policy: API only)
# =============================================================================

swarmui.locopuente.org {
	import api_auth {$SWARMUI_TOKEN}
	reverse_proxy 192.168.20.120:7801
}

voice.locopuente.org {
	import api_auth {$VOICE_TOKEN}
	reverse_proxy 192.168.20.120:17493
}

chatterbox.locoensayo.org {
	import api_auth {$CHATTERBOX_TOKEN}
	reverse_proxy 192.168.20.120:8004
}

comfyui.locopuente.org {
	import api_auth {$COMFYUI_TOKEN}
	reverse_proxy 192.168.20.120:8188
}

speaches.locopuente.org {
	import api_auth {$SPEACHES_TOKEN}
	reverse_proxy 192.168.20.120:8000
}

workready-api.eduserver.au {
	import api_auth {$WORKREADY_TOKEN}
	reverse_proxy 192.168.20.120:8001
}

# ollama: backend was 127.0.0.1:1 in NPM (placeholder/disabled). Point this at
# the real Ollama host:port before relying on it. Token gate retained.
ollama.locollm.org {
	import api_auth {$OLLAMA_TOKEN}
	reverse_proxy 127.0.0.1:11434
}

# =============================================================================
# App hosts — no proxy auth (app has its own accounts / is public by design)
# =============================================================================

chat.locopuente.org {
	# LibreChat — own account system
	reverse_proxy 192.168.20.120:3080
}

chat.eduserver.au {
	# AnythingLLM — own account system
	reverse_proxy 192.168.20.120:3001
}

books.serveur.au {
	# personal host on serveur.au (not a puente service)
	reverse_proxy 192.168.20.3:5000
}

plex.serveur.au {
	# Plex — own auth
	reverse_proxy 192.168.20.3:32400
}

go.locopuente.org {
	# static portal
	reverse_proxy 192.168.20.120:8090
}

closingthegap.eduserver.au {
	# static portal
	reverse_proxy 192.168.20.120:8090
}
