# Copyright (C) 2024-2025 Pextra Inc.
{
	servers {
		# TODO: fix this in next iteration
		strict_sni_host insecure_off
		listener_wrappers {
			http_redirect
			tls
		}
	}
}

(snippet_pce_api_paths) {
	@pce_api_paths path /consoleproxy /vncproxy /api/*
}

# Both snippets should have identical proxy directives
(pce_api_proxy) {
	import snippet_pce_api_paths

	# Temporary reverse proxy for live metrics server
	reverse_proxy /api/metrics/live 127.0.0.1:7777

	# Reverse proxy for pcedaemon
	reverse_proxy @pce_api_paths 127.0.0.1:85 {
		header_up -x-client-cert-dn
		header_up x-forwarded-port {http.request.port}
	}
}
(pce_api_proxy_mtls) {
	import snippet_pce_api_paths

	# Temporary reverse proxy for live metrics server
	reverse_proxy /api/metrics/live 127.0.0.1:7777

	# Reverse proxy for pcedaemon
	reverse_proxy @pce_api_paths 127.0.0.1:85 {
		header_up x-client-cert-dn {http.request.tls.client.subject}
		header_up x-forwarded-port {http.request.port}
	}
}

# User-facing API and Web UI
:5007 {
	encode zstd gzip

	# Serve frontend
	root * /usr/lib/pce/pceui
	file_server

	redir /pce-docs /pce-docs/ permanent
	handle_path /pce-docs/* {
		root * /usr/lib/pce/pce-docs
		file_server browse
	}

	import pce_api_proxy
	tls /etc/caddy/pce.crt /etc/caddy/pce.key
}

# Node-to-node RPC (authn/authz bypass with mTLS)
:5008 {
	encode zstd gzip

	tls /etc/caddy/pce.crt /etc/caddy/pce.key {
		client_auth {
			mode require_and_verify
			trust_pool file {
				# TODO: use separate CA in next iteration
				pem_file /etc/pce/certs/cockroach/ca.crt
			}
		}
	}

	import pce_api_proxy_mtls
}