# Inner Caddy: just serves the static dist on :80.
# The host's caddy-docker-proxy handles TLS and routing for the public hostname.

:80 {
	root * /srv
	encode zstd gzip
	file_server

	# SPA-ish fallback: prefer the directory's index.html, then a 404 page.
	try_files {path} {path}/ /404.html

	header {
		# Light security defaults; the outer Caddy can override.
		X-Content-Type-Options "nosniff"
		Referrer-Policy "strict-origin-when-cross-origin"
		Permissions-Policy "interest-cohort=()"
	}

	# Long cache for fingerprinted assets emitted by Astro.
	@hashed path_regexp \.[A-Za-z0-9_-]{8,}\.(js|css|woff2?|svg|png|jpg|jpeg|webp|avif)$
	header @hashed Cache-Control "public, max-age=31536000, immutable"
}