# certiv.org edge. Static pages are public; hosted writes stay disabled unless
# the API is separately configured with an authenticated executor.
{
	admin off
}

http://127.0.0.1:8081 {
	@health path /healthz
	respond @health "ok" 200
	respond 404
}
{$CERTIV_DOMAIN:certiv.org} {
	encode zstd gzip

	header {
		-Server
		-Via
		Strict-Transport-Security "max-age=31536000; includeSubDomains"
		Content-Security-Policy "default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data:; object-src 'none'; script-src 'none'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests"
		Permissions-Policy "accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), usb=()"
		Referrer-Policy "strict-origin-when-cross-origin"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "DENY"
		X-Permitted-Cross-Domain-Policies "none"
		Cross-Origin-Opener-Policy "same-origin"
	}
	@badgeResource path /badge/*
	header @badgeResource >Cross-Origin-Resource-Policy "cross-origin"
	@nonBadgeResource {
		not path /badge/*
	}
	header @nonBadgeResource >Cross-Origin-Resource-Policy "same-origin"

	@immutable path_regexp immutable ^/_next/static/.+
	header @immutable Cache-Control "public, max-age=31536000, immutable"

	@machine path /receipt.certiv /ledger-segment.jsonl /api/openapi.json /schema/* /.well-known/certiv.json /.well-known/release.json /.well-known/security.txt
	header @machine Cache-Control "no-cache"
	header @machine X-Robots-Tag "noindex"

	log {
		output file /data/logs/certiv-access.json {
			roll_size 25MiB
			roll_keep 14
			roll_keep_for 336h
		}
		format json
	}

	handle /api/openapi.json {
		root * /srv/web
		header Cache-Control "no-cache"
		header X-Robots-Tag "noindex"
		file_server
	}

	handle /api/* {
		request_body {
			max_size 273MB
		}
		reverse_proxy api:8030 {
			health_uri /api/v1/ready
			health_interval 30s
			health_timeout 3s
		}
	}

	handle /badge/* {
		reverse_proxy api:8030
	}

	handle {
		root * /srv/web
		try_files {path} {path}/ {path}/index.html
		file_server
	}

	handle_errors {
		@notfound expression {http.error.status_code} == 404
		rewrite @notfound /404.html
		root * /srv/web
		file_server
	}
}
