{
    # Admin API for programmatic route management (future use for ISO downloads)
    admin localhost:2019

    # For local development, use internal CA
    # In production, Caddy auto-obtains Let's Encrypt certs
}

# Development configuration (localhost)
:443 {
    tls internal  # Self-signed for local dev

    # Reverse proxy to FastAPI
    reverse_proxy localhost:8000 {
        health_uri /health
        health_interval 10s
        health_timeout 5s
    }

    # Security headers (supplement FastAPI's headers)
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
    }

    # Access logging
    log {
        output file /var/log/caddy/access.log {
            roll_size 100mb
            roll_keep 10
        }
        format json
    }
}

# HTTP to HTTPS redirect
:80 {
    redir https://{host}{uri} permanent
}