##
# Caddy Configuration — Canonical + Direct (production)
#
# Serves both Cloudflare-proxied domains (DNS-01 challenge) and
# direct-access domains (TLS-ALPN) from a single Caddyfile.
# Also handles customer domains via on-demand TLS.
#
# Render with envsubst before deployment:
#   HOSTNAME=us-tor-web-01 JURISDICTION=us SITE_SLUG=B76s2 \
#     envsubst < templates/Caddyfile.canonical.template > /etc/caddy/Caddyfile
#
# Required env vars (envsubst): HOSTNAME, JURISDICTION, SITE_SLUG
# Runtime env vars (Caddy): CLOUDFLARE_API_TOKEN, UPSTREAM_HOST, UPSTREAM_PORT_RANGE, PUBLIC_DIR
#
{
	import snippets/onetime-global.caddy

	on_demand_tls {
		ask http://127.0.0.1:7043/api/internal/acme/ask
	}

	default_sni $HOSTNAME.onetimesecret.com
}

# Load snippet definitions
import snippets/onetime-root.caddy
import snippets/onetime-headers.caddy
import snippets/onetime-proxy.caddy
import snippets/onetime-logging.caddy
import snippets/onetime-cors.caddy

######################################################################
#                                                                    #
#        SERVER SETTINGS BELOW THIS LINE                             #
#                                                                    #
######################################################################

# --- Server Block 1: Cloudflare-proxied domains (DNS-01 challenge) ---
#
# These domains sit behind Cloudflare proxy (orange cloud on).
# Certificate issuance uses DNS-01 via Cloudflare API token.


$HOSTNAME.onetimesecret.com $JURISDICTION.onetimesecret.com $HOSTNAME.onetimesecret.dev $JURISDICTION.onetimesecret.dev {
	tls {
		dns cloudflare {env.CLOUDFLARE_API_TOKEN}
		protocols tls1.3
	}

	import onetime-root
	import onetime-headers $SITE_SLUG
	import onetime-cors
	import onetime-proxy
	import onetime-logging

	# HSTS — for Cloudflare-proxied domains, these may be overridden
	# by Cloudflare SSL/TLS Dashboard settings.
	@hsts_domains {
		host *.onetimesecret.com *.onetimesecret.dev
	}
	header @hsts_domains Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
}

# --- Server Block 2: Direct-access domains (orange cloud off, DNS only) ---
#
# Certificate issuance uses DNS-01 via Cloudflare API token.
#
# Direct connections bypass Cloudflare. Uses TLS-ALPN-01 challenge
# (HTTP challenge disabled since port 80 may be Cloudflare-only).
# Approximated.app customer domains also arrive here via
# $JURISDICTION.onetime.co — TLS is already terminated by
# approximated's network; the real custom domain is in headers
# (Apx-Incoming-Host).
#
# The direct and via-cloudflare subdomains are for semantics that make it
# easier to communicate and remember. Or at least they did previously when
# we have separate CNAME targets for direct vs proxied. Now they both point
# to the same Caddy instance, but we keep them working for pre-existing
# customers. (NOTE: There is actually only a single customer using
# via-cloudflare and the rest are documented in the domains.txt
# file from webdirect instance in US).
$HOSTNAME.onetime.co $JURISDICTION.onetime.co direct.$JURISDICTION.onetime.co via-cloudflare.$JURISDICTION.onetime.co $HOSTNAME.onetime.dev $JURISDICTION.onetime.dev direct.$JURISDICTION.onetime.dev via-cloudflare.$JURISDICTION.onetime.dev {
	tls {
	  dns cloudflare {env.CLOUDFLARE_API_TOKEN}
		protocols tls1.3

		# issuer acme {
		# 	disable_http_challenge
		# }
	}

	import onetime-root
	import onetime-headers ${SITE_SLUG}-byoc
	import onetime-proxy
	import onetime-logging

	@hsts_domains {
		host *.onetime.co *.onetime.dev
	}
	header @hsts_domains Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
}

# --- Server Block 3: Custom domains (on-demand TLS) ---
#
# Catch-all for customer domains that point DNS directly at this
# server (not through approximated.app or Cloudflare). Caddy
# issues certs on-demand via TLS-ALPN, validated by the ask
# endpoint. The tls block must not have cert/issuer settings to
# avoid conflict with the catch-all automation policy.

https:// {
	tls {
		protocols tls1.3
		on_demand
	}

	import onetime-root
	import onetime-headers ${SITE_SLUG}-ondemand
	import onetime-proxy
	import onetime-logging
}

# --- Site block imports (not snippets — these define site blocks) ---

import snippets/http-redirect.caddy
import snippets/admin.caddy
