# {
# 	email {$ACME_EMAIL}  # public ACME account email for prod
# 	# debug
# }

(serve_php) {
	handle_path /.well-known/* {
		# Normally static; if you prefer, just let file_server serve it.
		file_server
	}

	root * /app/public

	# --- Inertia & caching rules -------------------------------------------
	# 1) Never cache Inertia XHR responses (requests with X-Inertia header)
	@inertia header X-Inertia *
	header @inertia {
		Vary "X-Inertia, X-Inertia-Partial-Component, X-Inertia-Partial-Data"
	}
	# -----------------------------------------------------------------------

	php_server

	file_server {
		hide /.*
	}

	encode zstd gzip
}

# 1) HTTP: healthcheck + redirect to HTTPS for all hosts
:80 {
	@health path /health
	handle @health {
		respond "ok" 200
	}
	redir https://{host}{uri}
}

# 2) DEV: trusted HTTPS for localhost only (uses internal CA)
localhost, 127.0.0.1, ::1 {
	tls internal # generates a localhost cert you can trust locally

	# header X-Env dev-local

	import serve_php

	# No HSTS in dev to avoid sticky browser state
	header {
		X-Content-Type-Options "nosniff"
		Referrer-Policy "no-referrer-when-downgrade"
	}
}

{$WWW_DOMAIN} {
	redir https://{$CANONICAL_DOMAIN}{uri}
}

# 3) PROD: any real domain that points to this server (public Let's Encrypt)
{$CANONICAL_DOMAIN} {
	import serve_php

	# Production-only hardening
	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "no-referrer-when-downgrade"
	}
}
