# Automatic HTTPS for the InventTasks sync server.
# {$SYNC_DOMAIN} and {$TLS_EMAIL} come from .env via docker-compose.
# Caddy obtains and renews a Let's Encrypt certificate on its own.

{
	email {$TLS_EMAIL}
}

{$SYNC_DOMAIN} {
	encode zstd gzip

	# WebSocket (live sync) and REST share the same upstream — Caddy proxies
	# both transparently, including the Upgrade handshake for /watch.
	reverse_proxy inventtasks:8480

	# Allow large attachments (matches the server's MAX_FILE_MB ceiling).
	request_body {
		max_size 60MB
	}

	header {
		# The web app and API are same-origin, so this is just basic hardening.
		Strict-Transport-Security "max-age=31536000; includeSubDomains"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "no-referrer"
		-Server
	}
}
