# Single-node Caddy: TLS terminate + WS upgrade + internal-only /metrics.
#
# No load balancing — one node backend. Keeps the file short and easy to
# audit. For a multi-node deployment see deploy/prod/caddy/Caddyfile.

{
    email   {$ACME_EMAIL:admin@example.com}
    servers {
        protocols h1 h2 h3
    }
}

{$DOMAIN:localhost} {
    encode zstd gzip

    # WebSocket (single backend; no stickiness concerns).
    @ws path /api/ws
    handle @ws {
        reverse_proxy node:8080
    }

    # REST API.
    handle /api/* {
        reverse_proxy node:8080
    }

    # /metrics is for the operator's Prometheus only. Block external IPs.
    @metricsPublic {
        path /metrics
        not remote_ip 127.0.0.1 ::1 172.16.0.0/12 192.168.0.0/16 10.0.0.0/8
    }
    handle @metricsPublic {
        respond "forbidden" 403
    }

    # Anything else → explorer HTML from the node.
    handle {
        reverse_proxy node:8080
    }

    log {
        output stdout
        format json
        level  INFO
    }
}