# Caddyfile for Radicale CalDAV Server

# Global options
{
    email {$CADDY_ACME_EMAIL:admin@daarion.space}
    on_demand_tls
}

# HTTP to HTTPS redirect
http:// {
    redir https://{host}{uri} 308
}

# CalDAV HTTPS endpoint
https://caldav.daarion.space {
    # Reverse proxy to Radicale
    reverse_proxy radicale:5232
    
    # Security headers
    header {
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
        Referrer-Policy "strict-origin-when-cross-origin"
        Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'"
    }
    
    # Basic auth for Radicale
    basic_auth {
        {$CADDY_BASIC_AUTH}
    }
    
    # TLS settings
    tls {
        min_version tls1.2
        cipher_suites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    }
}