# Global options
{
    auto_https disable_redirects
    email k.radikal@gmail.com
}

# Consolidated wildcard site block
*.klhoud.com, http://*.klhoud.com {
    # Automatic HTTPS via DNS challenge for all subdomains
    tls {
        dns cloudflare {$CLOUDFLARE_API_TOKEN}
    }
    
    # Proxmox
    @proxmox host proxmox.klhoud.com
    handle @proxmox {
        reverse_proxy https://192.168.0.112:8006 {
            # Required for connecting to Proxmox's self-signed/untrusted certificate
            transport http {
                tls_insecure_skip_verify
                versions 1.1
            }
        }
    }
    
    # AdGuard Home
    @adguard host adguard.klhoud.com
    handle @adguard {
        reverse_proxy 192.168.0.170:80
    }
    
    # Dockge
    @dockge host dockge.klhoud.com
    handle @dockge {
        reverse_proxy 192.168.0.12:5001
    }
    
    # Nextcloud
    @cloud host cloud.klhoud.com
    handle @cloud {
        reverse_proxy 192.168.0.12:8080
        # Nextcloud-specific headers
        header Strict-Transport-Security "max-age=31536000;"
        
        # Handle large file uploads
        request_body {
            max_size 10GB
        }
    }

    # Coolify (control plane runs on LXC 103). Upstream HTTPS to 443 because
    # coolify-proxy's HTTP entry forces a redirect-to-https which would loop
    # back through us. HTTPS upstream hits the no-redirect routes; cert is
    # self-signed since coolify-proxy's ACME for coolify.klhoud.com fails
    # (DNS points at us, not it), so we skip verify.
    # coolify-proxy (Traefik) on LXC 103 listens on :80. We added a custom
    # higher-priority router in /data/coolify/proxy/dynamic/coolify-noredirect.yaml
    # there to bypass Coolify's auto-generated http->https redirect (which would
    # loop us). WebSocket routes (/app, /terminal/ws) work natively on :80.
    @coolify host coolify.klhoud.com
    handle @coolify {
        reverse_proxy 192.168.0.47:80
    }

    # IMPORTANT: Fallback Handler
    # This prevents non-matching requests from falling through and failing.
    handle {
        respond "Not Found" 404
    }
}
