# SPDX-FileCopyrightText: V <v@unfathomable.blue>
# SPDX-License-Identifier: OSL-3.0

{ lib, pkgs, ... }:

{
  services.caddy = {
    enable = true;

    # Snippets must be defined before they are used, so the mkBefore ensures they come first.
    extraConfig = lib.mkBefore ''
      (all) {
        log {
          output file /var/log/caddy/access.log
        }
        header -Server
      }

      http:// {
        import all
        redir https://{host}{uri} 308
      }

      (common) {
        import all

        encode zstd gzip

        header {
          Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
          # TODO(V): Define a content security policy. Make it report-only at first, to avoid breaking things.
          Permissions-Policy "interest-cohort=()"
          X-Clacks-Overhead "GNU Terry Pratchett"
        }

        handle_errors {
          respond "{http.error.status_code} {http.error.status_text}"
        }
      }
    '';
  };

  networking.firewall.interfaces.ens3.allowedTCPPorts = [ 80 443 ];
}