dotfiles/config/ansible/tasks/servers/services/caddy/Caddyfile.j2

# Global configuration for country blocking
{
    servers {
        protocols h1 h2 h3
    }
}

# Country blocking snippet using MaxMind GeoLocation - reusable across all sites
{% if enable_country_blocking | default(false) and allowed_countries_codes | default([]) | length > 0 %}
(country_block) {
    @allowed_local {
        remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
    }
    @not_allowed_countries {
        not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
        not {
            maxmind_geolocation {
                db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
                allow_countries {{ allowed_countries_codes | join(' ') }}
            }
        }
    }
    respond @not_allowed_countries "Access denied" 403
}
{% else %}
(country_block) {
    # Country blocking disabled
}
{% endif %}

{% if inventory_hostname == 'mennos-cloud-server' %}
status.vleeuwen.me status.mvl.sh {
   import country_block
   reverse_proxy uptime-kuma:3001
   tls {{ caddy_email }}
}

{% elif inventory_hostname == 'mennos-cachyos-desktop' %}
git.mvl.sh {
   import country_block
   reverse_proxy gitea:3000
   tls {{ caddy_email }}
}

git.vleeuwen.me {
   import country_block
   redir https://git.mvl.sh{uri}
   tls {{ caddy_email }}
}

df.mvl.sh {
   import country_block
   redir / https://git.mvl.sh/vleeuwenmenno/dotfiles/raw/branch/master/setup.sh
   tls {{ caddy_email }}
}

fsm.mvl.sh {
   import country_block
   reverse_proxy factorio-server-manager:80
   tls {{ caddy_email }}
}

fsm.vleeuwen.me {
   import country_block
   redir https://fsm.mvl.sh{uri}
   tls {{ caddy_email }}
}

beszel.mvl.sh {
   import country_block
   reverse_proxy beszel:8090
   tls {{ caddy_email }}
}

beszel.vleeuwen.me {
   import country_block
   redir https://beszel.mvl.sh{uri}
   tls {{ caddy_email }}
}

photos.mvl.sh {
   import country_block
   reverse_proxy immich:2283
   tls {{ caddy_email }}
}

photos.vleeuwen.me {
   import country_block
   redir https://photos.mvl.sh{uri}
   tls {{ caddy_email }}
}

home.vleeuwen.me {
   import country_block
   reverse_proxy host.docker.internal:8123 {
       header_up Host {upstream_hostport}
       header_up X-Real-IP {http.request.remote.host}
       header_up X-Forwarded-For {http.request.remote.host}
       header_up X-Forwarded-Proto {scheme}
       header_up X-Forwarded-Host {host}
   }
   tls {{ caddy_email }}
}

unifi.mvl.sh {
    reverse_proxy unifi-controller:8443 {
        transport http {
            tls_insecure_skip_verify
        }
        header_up Host {host}
        header_up X-Forwarded-Proto https
    }
    tls {{ caddy_email }}
}

hotspot.mvl.sh {
    reverse_proxy unifi-controller:8843 {
        transport http {
            tls_insecure_skip_verify
        }
        header_up Host {host}
        header_up X-Forwarded-Proto https
    }
    tls {{ caddy_email }}
}

hotspot.mvl.sh:80 {
    redir https://hotspot.mvl.sh{uri} permanent
}

bin.mvl.sh {
   import country_block
   reverse_proxy privatebin:8080
   tls {{ caddy_email }}
}

ip.mvl.sh ip.vleeuwen.me {
   import country_block
   reverse_proxy echoip:8080 {
       header_up X-Real-IP {http.request.remote.host}
       header_up X-Forwarded-For {http.request.remote.host}
       header_up X-Forwarded-Proto {scheme}
       header_up X-Forwarded-Host {host}
   }
   tls {{ caddy_email }}
}

http://ip.mvl.sh http://ip.vleeuwen.me {
   import country_block
   reverse_proxy echoip:8080 {
       header_up X-Real-IP {http.request.remote.host}
       header_up X-Forwarded-For {http.request.remote.host}
       header_up X-Forwarded-Proto {scheme}
       header_up X-Forwarded-Host {host}
   }
}

overseerr.mvl.sh {
   import country_block
   reverse_proxy overseerr:5055
   tls {{ caddy_email }}
}

overseerr.vleeuwen.me {
   import country_block
   redir https://overseerr.mvl.sh
   tls {{ caddy_email }}
}

plex.mvl.sh plex.vleeuwen.me {
   import country_block
   reverse_proxy host.docker.internal:32400 {
       header_up Host {upstream_hostport}
       header_up X-Real-IP {http.request.remote.host}
       header_up X-Forwarded-For {http.request.remote.host}
       header_up X-Forwarded-Proto {scheme}
       header_up X-Forwarded-Host {host}
   }
   tls {{ caddy_email }}
}

drive.mvl.sh drive.vleeuwen.me {
   import country_block

   # CalDAV and CardDAV redirects
   redir /.well-known/carddav /remote.php/dav/ 301
   redir /.well-known/caldav /remote.php/dav/ 301

   # Handle other .well-known requests
   handle /.well-known/* {
       reverse_proxy nextcloud:80 {
           header_up Host {host}
           header_up X-Real-IP {http.request.remote.host}
           header_up X-Forwarded-For {http.request.remote.host}
           header_up X-Forwarded-Proto {scheme}
           header_up X-Forwarded-Host {host}
       }
   }

   # Main reverse proxy configuration with proper headers
   reverse_proxy nextcloud:80 {
       header_up Host {host}
       header_up X-Real-IP {http.request.remote.host}
       header_up X-Forwarded-For {http.request.remote.host}
       header_up X-Forwarded-Proto {scheme}
       header_up X-Forwarded-Host {host}
   }

   # Security headers
   header {
       # HSTS header for enhanced security (required by Nextcloud)
       Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
       # Additional security headers recommended for Nextcloud
       X-Content-Type-Options "nosniff"
       X-Frame-Options "SAMEORIGIN"
       Referrer-Policy "no-referrer"
       X-XSS-Protection "1; mode=block"
       X-Permitted-Cross-Domain-Policies "none"
       X-Robots-Tag "noindex, nofollow"
   }

   tls {{ caddy_email }}
}

{% endif %}