{
    # Global options
    email {$EMAIL}
    # Uncomment for testing to avoid rate limits
    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

{$DOMAIN:localhost} {
    # Automatic HTTPS (Caddy handles Let's Encrypt automatically)
    
    # Reverse proxy to Flask app
    reverse_proxy digiserver:5000 {
        # Headers
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
        
        # Timeouts for large uploads
        transport http {
            read_timeout 300s
            write_timeout 300s
        }
    }
    
    # File upload size limit (2GB)
    request_body {
        max_size 2GB
    }
    
    # Security headers
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
    }
    
    # Logging
    log {
        output file /var/log/caddy/access.log
    }
}