caddy/Caddyfile.public

1.1 KB · 48 lines · 2024-10-15 · b6e1f19
# caddy/Caddyfile.public
# Only one public-facing site: a static landing page explaining there
# is nothing here, and a /.well-known/ path for ACME + webfinger.
#
# Port-forward from the router to 80/443 goes here. Nothing else from
# the homelab is exposed.
#
# Docs: mercemay.top/src/homelab-compose/
{
    admin off
    auto_https disable_redirects
    log default {
        output file /var/log/caddy/public.log {
            roll_size 20mb
            roll_keep 5
        }
        format json
    }
}

home.example.net, www.home.example.net {
    encode zstd gzip
    tls admin@example.net

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Frame-Options "DENY"
        X-Content-Type-Options "nosniff"
        Referrer-Policy "no-referrer"
        Permissions-Policy "interest-cohort=(), geolocation=(), camera=(), microphone=()"
    }

    handle /.well-known/* {
        root * /srv/public
        file_server
    }

    handle {
        root * /srv/public
        try_files {path} /index.html
        file_server
    }

    @bots user_agent *bot* *crawl* *spider*
    respond @bots 403
}