# Browser TLS for the console dashboard:
#   browser --h2/HTTPS--> caddy:443 --h1.1/HTTP--> console:8090
# The console serves HTTP (it's the ACME bootstrap endpoint), so browser TLS is
# terminated here. `tls internal` uses Caddy's own local CA; trust its root once:
#   docker compose exec caddy cat /data/caddy/pki/authorities/local/root.crt
# See docs/tls.md (incl. the acme_ca→console alternative and why it's not default).

:443 {
	# on_demand: a port-only site has no fixed name to pre-issue for; safe here
	# because the issuer is Caddy's local CA, not a public one.
	tls internal {
		on_demand
	}
	reverse_proxy console:8090 {
		flush_interval -1 # stream the dashboard SSE without buffering
	}
}

# Optional SearxNG web UI on its own port:
#   browser --h2/HTTPS--> caddy:8444 --h1.1/HTTP--> searxng:8080
# SearxNG has NO authentication, so whoever reaches this port can search through
# it (an open proxy). The dev stack publishes 8444 on 127.0.0.1 only; the
# production stack does NOT publish it by default — uncomment the caddy port to
# opt in, and mind the AGPL-3.0 §13 source-offer obligation (see docs/docker.md).
# Caddy listens here unconditionally, but it's only reachable where the compose
# maps the host port. A dedicated port (not a sub-path) avoids SearxNG's
# base-URL/asset issues under a subdirectory.
:8444 {
	tls internal {
		on_demand
	}
	reverse_proxy searxng:8080
}
