# Caddy inside the Docker container — listens on :80
# The host Caddy reverse-proxies to this container and handles HTTPS.
:80 {
  root * /srv
  encode zstd gzip

  header {
    X-Content-Type-Options nosniff
    X-Frame-Options DENY
    Referrer-Policy strict-origin-when-cross-origin
    Permissions-Policy "geolocation=(), microphone=(), camera=()"
    -Server
  }

  # Long-term caching for hashed assets
  @assets path /assets/* /images/* /logo.svg /public/*
  header @assets Cache-Control "public, max-age=31536000, immutable"

  # SPA fallback: prerendered routes get their own index.html, rest falls back
  try_files {path} {path}/index.html /index.html
  file_server
}