# Caddyfile.example — JAMA-HOST reverse proxy
#
# Caddy handles SSL automatically via Let's Encrypt.
# Wildcard certs require a DNS challenge provider.
#
# Prerequisites:
#   1. Install the Caddy DNS plugin for your provider:
#      https://caddyserver.com/docs/automatic-https#dns-challenge
#      Common providers: cloudflare, route53, digitalocean
#
#   2. Set your DNS API token as an environment variable:
#      CF_API_TOKEN=your_cloudflare_token  (or equivalent)
#
#   3. Add a wildcard DNS record in your DNS provider:
#      *.jamachat.com → your server IP
#      jamachat.com   → your server IP
#
# Usage:
#   Copy this file to /etc/caddy/Caddyfile (or wherever Caddy reads it)
#   Reload: caddy reload

# ── Wildcard subdomain ────────────────────────────────────────────────────────
# Handles team1.jamachat.com, teamB.jamachat.com, etc.
# Replace jamachat.com with your actual HOST_DOMAIN.

*.jamachat.com {
    tls {
        dns cloudflare {env.CF_API_TOKEN}
    }

    # Forward all requests to the jama app container
    reverse_proxy localhost:3000

    # Security headers
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
        Referrer-Policy strict-origin-when-cross-origin
        -Server
    }

    # Logs (optional)
    log {
        output file /var/log/caddy/jama-access.log
        format json
    }
}

# ── Base domain (host admin panel) ───────────────────────────────────────────
jamachat.com {
    reverse_proxy localhost:3000
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options nosniff
        -Server
    }
}

# ── Custom tenant domains ─────────────────────────────────────────────────────
# When a tenant sets up a custom domain (e.g. chat.theircompany.com):
#
# 1. They add a DNS CNAME: chat.theircompany.com → jamachat.com
#
# 2. You add a block here and reload Caddy.
#    Caddy will automatically obtain and renew the SSL cert.
#
# Example:
#
# chat.theircompany.com {
#     reverse_proxy localhost:3000
# }
#
# Alternatively, use Caddy's on-demand TLS to handle custom domains
# automatically without editing this file:
#
# (on_demand_tls) {
#     on_demand {
#         ask http://localhost:3000/api/host/verify-domain
#     }
# }
#
# *.jamachat.com, jamachat.com {
#     tls { on_demand }
#     reverse_proxy localhost:3000
# }