{
    # Keep this ONLY for the .io domains
    local_certs
}

# --- PUBLIC PRODUCTION (.ca) ---
# Cloudflare DNS points these to your Public IP (136.112.149.254)
# Caddy will automatically get REAL Let's Encrypt certificates.

git.corebot.ca {
    reverse_proxy 100.98.158.31:3000 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
    }
}

core.corebot.ca {
    reverse_proxy 100.80.179.128:9120
}

vault.corebot.ca {
    reverse_proxy 100.120.171.124:8081 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
}

tos.corebot.ca {
    root * /usr/share/caddy/legal
    file_server
}

privacy.corebot.ca {
    root * /usr/share/caddy/legal
    file_server
}

# --- INTERNAL LAB (.io) ---
# Managed by Pi-hole, only accessible via Tailscale/Internal Network.

main.bray.io {
    tls internal
    reverse_proxy mystic-home:80
}

core.bray.io {
    tls internal
    reverse_proxy 100.80.179.128:9120
}

vault.bray.io {
    tls internal
    reverse_proxy 100.120.171.124:8081
}

git.bray.io {
    tls internal
    reverse_proxy 100.98.158.31:3000
}

dns.bray.io {
    tls internal
    redir / /admin/ 308
    reverse_proxy 100.64.238.34:80
}

database.bray.io {
    tls internal
    reverse_proxy 100.109.59.41:80
}

prometheus.bray.io {
    tls internal
    reverse_proxy prometheus:9090
}

grafana.bray.io {
    tls internal
    reverse_proxy grafana:3000
}