{
	email {$CADDY_EMAIL:ops@pala-os.com}
}

(security_headers) {
	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		X-Frame-Options "DENY"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "strict-origin-when-cross-origin"
		Permissions-Policy "camera=(), microphone=(), geolocation=()"
	}
}

(cors_headers) {
	@allowed_origin header Origin https://pala-os.com https://www.pala-os.com {$PALA_PREMIUM_CORS_ORIGINS:https://customer.example.com}
	header @allowed_origin Access-Control-Allow-Origin "{http.request.header.Origin}"
	header @allowed_origin Access-Control-Allow-Credentials "true"
	header @allowed_origin Access-Control-Allow-Headers "Authorization, Content-Type, Mcp-Session-Id"
	header @allowed_origin Access-Control-Allow-Methods "GET, POST, OPTIONS"
	header @allowed_origin Vary "Origin"
}

mcp.pala-os.com {
	encode zstd gzip
	import security_headers
	import cors_headers

	@preflight method OPTIONS
	respond @preflight 204

	reverse_proxy pala-mcp:8765 {
		flush_interval -1
		header_up X-Forwarded-Proto {scheme}
		header_up X-Forwarded-Host {host}
	}
}

metrics.pala-os.com {
	encode zstd gzip
	import security_headers

	basicauth {
		admin {$CADDY_METRICS_ADMIN_HASH:$2b$12$sF6Q/8HB5B5Lqe8JqkSfJO03iINlKsgnoPxa7.e7llTetFZ4YGQ9O}
	}

	reverse_proxy prometheus:9090
}
