# Caddy reverse proxy with bearer token auth and automatic HTTPS.
# The domain is supplied via environment variable GITNEXUS_DOMAIN,
# and the auth token via API_TOKEN. Both are set in docker-compose.yml.

{$GITNEXUS_DOMAIN} {
	# Health check — unauthenticated so monitoring can probe it
	@health path /health
	handle @health {
		reverse_proxy gitnexus:4747 {
			rewrite /api/info
		}
	}

	# All other routes require bearer token
	@authed {
		header Authorization "Bearer {$API_TOKEN}"
	}

	handle @authed {
		reverse_proxy gitnexus:4747
	}

	# Reject unauthenticated requests
	respond "Unauthorized" 401
}
