# ─────────────────────────────────────────────────────────────────────────────
# GLOBAL BLOCK
# ─────────────────────────────────────────────────────────────────────────────
{
    order crowdsec first

    log {
        output file /var/log/caddy/access.log {
            roll_size 50mb
            roll_keep 5
        }
        format json
    }
}

# ─────────────────────────────────────────────────────────────────────────────
# SNIPPETS
# ─────────────────────────────────────────────────────────────────────────────

(crowdsec) {
    crowdsec {
        api_url http://crowdsec:8080
        api_key {$CROWDSEC_API_KEY}
    }
}

(authentik) {
    route /outpost.goauthentik.io/* {
        reverse_proxy http://authentik:9000
    }

    forward_auth http://authentik:9000 {
        uri /outpost.goauthentik.io/auth/caddy
         header_up X-Forwarded-Host {http.request.host}
        header_up X-Forwarded-Proto {http.request.scheme}
        header_up X-Forwarded-URI {http.request.uri}
        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
    }
}

(authelia) {
    forward_auth http://authelia:9091 {
        uri /api/verify?rd=https://login.wasted-bandwidth.net/
        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
    }
}

(mailcow-proxy) {
    reverse_proxy nginx-mailcow:80
}

# ─────────────────────────────────────────────────────────────────────────────
# SITE BLOCKS
# ─────────────────────────────────────────────────────────────────────────────

# Nextcloud AIO - Optimized for WebDAV and Folder Uploads
cloud.netgrimoire.com {
    # No CrowdSec here for now to prevent 404s on rapid-fire WebDAV requests
    reverse_proxy http://nextcloud-aio-apache:11000 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
        header_up Destination {http.request.header.Destination}
        
        transport http {
            response_header_timeout 300s
            dial_timeout 30s
        }
    }
}

# Services with Authentik Protection
dozzle.netgrimoire.com {
    import crowdsec
    import authentik
    reverse_proxy http://192.168.4.72:8043
}

dns.netgrimoire.com {
    import crowdsec
    import authentik
    reverse_proxy http://192.168.5.7:5380
}

webtop.netgrimoire.com {
    import crowdsec
    import authentik
    reverse_proxy http://webtop:3000
}

jackett.netgrimoire.com {
    import crowdsec
    import authentik
    reverse_proxy http://gluetun:9117
}

transmission.netgrimoire.com {
    import crowdsec
    import authentik
    reverse_proxy http://gluetun:9091
}

scrutiny.netgrimoire.com {
    import crowdsec
    import authentik
    reverse_proxy http://192.168.5.10:8081
}

homelable.netgrimoire.com {
    import crowdsec
    import authentik
    reverse_proxy http://homelable-frontend:80
}

# Services with Authelia Protection
stash.wasted-bandwidth.net {
    import crowdsec
    import authelia
    reverse_proxy http://192.168.5.10:9999
}

namer.wasted-bandwidth.net {
    import crowdsec
    import authelia
    reverse_proxy http://192.168.5.10:6980
}

# Standard Services (Direct Proxy)
log.netgrimoire.com {
    reverse_proxy http://graylog:9000
}

win.netgrimoire.com {
    reverse_proxy http://192.168.5.10:8006
}

docker.netgrimoire.com {
    reverse_proxy http://portainer:9000
}

immich.netgrimoire.com {
    reverse_proxy http://192.168.5.10:2283
}

npm.netgrimoire.com {
    reverse_proxy http://librenms:8000
}

accounts.netgrimoire.com, accounts.pncharris.com {
    reverse_proxy http://bigcapital-proxy-1:80
}

fish.pncharris.com {
    reverse_proxy http://web
}

www.wasted-bandwidth.net {
    reverse_proxy http://web
}

webmail.netgrimoire.com, webmail.gnarlypandaproductions.com, webmail.pncharris.com, webmail.pncfishandmore.com, webmail.pncharrisenterprises.com, webmail.florosafd.org {
    reverse_proxy http://roundcube:80
}

# Mailcow Stack
mail.netgrimoire.com, autodiscover.netgrimoire.com, autoconfig.netgrimoire.com, \
mail.wasted-bandwidth.net, autodiscover.wasted-bandwidth.net, autoconfig.wasted-bandwidth.net, \
mail.gnarlypandaproductions.com, autodiscover.gnarlypandaproductions.com, autoconfig.gnarlypandaproductions.com, \
mail.pncfishandmore.com, autodiscover.pncfishandmore.com, autoconfig.pncfishandmore.com, \
mail.pncharrisenterprises.com, autodiscover.pncharrisenterprises.com, autoconfig.pncharrisenterprises.com, \
mail.pncharris.com, autodiscover.pncharris.com, autoconfig.pncharris.com, \
mail.florosafd.org, autodiscover.florosafd.org, autoconfig.florosafd.org {
    import mailcow-proxy
}