# Caddyfile — Witryna with auto-managed site configs
#
# Site configs are generated by the caddy-deploy.sh hook script
# and imported from /etc/caddy/sites.d/. See examples/hooks/caddy-deploy.sh.
#
# Caddy obtains and renews TLS certificates automatically via ACME.
# See https://caddyserver.com/docs/ for full documentation.

# Import auto-managed site configs
import /etc/caddy/sites.d/*.caddy

# Webhook endpoint — reverse proxy to Witryna
#
# Rate limiting: Caddy does not include built-in rate limiting.
# Install the caddy-ratelimit module for per-IP request limiting:
#   https://github.com/mholt/caddy-ratelimit
#
# Example with caddy-ratelimit (uncomment after installing the module):
#   rate_limit {
#       zone webhook {
#           key    {remote_host}
#           events 10
#           window 1m
#       }
#   }
witryna.example.com {
	reverse_proxy 127.0.0.1:8080

	# Restrict access to POST requests only
	@not_post not method POST
	respond @not_post 405

	# Security headers
	header {
		X-Content-Type-Options "nosniff"
		-Server
	}
}