# Template: Caddyfile.override
# Purpose: Default configuration for custom containers.
# Description:
# - Serves static files from /srv.
# - Provides a /health endpoint for health checks.
# - Designed to run behind a reverse proxy like Træfik, listening only on port 80.
# - comes with security headers

:80 {
    # Health check endpoint
    respond /health "OK" 200

    # Enable compression for text-based resources
    encode gzip zstd

    # Allow all file types - disable mime type checking
    header {
        # Cross-Origin headers - allow everything
        Access-Control-Allow-Origin "*"
        Access-Control-Allow-Methods "GET, OPTIONS, POST"
        Access-Control-Allow-Headers "*"
        
        # Permissions Policy
        Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
        
        # Referrer Policy
        Referrer-Policy "strict-origin-when-cross-origin"
        
        # HSTS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        
        # Content Type Options - disable for more permissive handling
        # X-Content-Type-Options "nosniff"
        
        # XSS Protection
        X-XSS-Protection "1; mode=block"
        
        # Frame Options (prevents clickjacking)
        X-Frame-Options "SAMEORIGIN"
        
        # Permissive CSP that allows everything
        Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
        
        # Remove Server header
        -Server
    }

    # HLS specific handling - explicit MIME types for all m3u8 and ts files
    @m3u8Files {
        path *.m3u8
    }
    @tsFiles {
        path *.ts
    }
    header @m3u8Files {
        Content-Type "application/x-mpegURL"
        Access-Control-Allow-Origin "*"
    }
    header @tsFiles {
        Content-Type "video/MP2T"
        Access-Control-Allow-Origin "*"
    }

    # Cache control for static assets - images, fonts, etc.
    @staticAssets {
        path *.jpg *.jpeg *.png *.webp *.avif *.gif *.ico *.svg *.woff *.woff2 *.ttf *.eot
        method GET HEAD
    }
    header @staticAssets Cache-Control "public, max-age=31536000, immutable"
    header @staticAssets ?Access-Control-Allow-Origin *

    # Special handling for CSS and JS files
    @cssAndJs {
        path *.css *.js
        method GET HEAD
    }
    header @cssAndJs Cache-Control "public, max-age=31536000, immutable"

    # Cache HTML files but for a shorter period
    @htmlFiles {
        path *.html
        method GET HEAD
    }
    header @htmlFiles Cache-Control "public, max-age=86400, must-revalidate"

    # Static file server
    file_server {
        root /srv # Root directory for serving static files
    }

    # Restrict allowed methods to only GET and HEAD
    @staticRequests {
        method GET HEAD
    }

    handle @staticRequests {
        root * /srv
        file_server
    }

    # Handle all other methods
    respond "Method Not Allowed" 405
}