# Tinyauth forward auth snippet
# Container: tinyauth (10.228.107.250) on fismen
(tinyauth) {
        forward_auth 10.228.107.250:3000 {
                uri /api/auth/caddy
        }
}

# fismen.no — Glance dashboard (container: glance)
fismen.no {
        import tinyauth
        reverse_proxy 10.228.107.196:8080
}

# ai.fismen.no — Open WebUI (container: openwebui on cube, via Tailscale)
ai.fismen.no {
        reverse_proxy 100.121.19.125:8080
}

# auth.fismen.no — PocketID OIDC provider (container: auth)
auth.fismen.no {
        reverse_proxy 10.228.107.231:1411
}

# bookmarks.fismen.no — Karakeep (container: bookmarks)
bookmarks.fismen.no {
        reverse_proxy 10.228.107.77:3000
}

# books.fismen.no — Booklore (container: books)
books.fismen.no {
        reverse_proxy 10.228.107.23:6060 {
                header_up Host {host}
                header_up X-Real-IP {remote_host}
                header_up X-Forwarded-For {remote_host}
                header_up X-Forwarded-Host {host}
                header_up X-Forwarded-Proto {scheme}
                header_up X-Forwarded-Port {server_port}
        }
}

# docs.fismen.no — Marki wiki (container: marki)
# /raw/* paths are public; all other paths require tinyauth
docs.fismen.no {
    @notraw not path /raw/*
    forward_auth @notraw 10.228.107.250:3000 {
        uri /api/auth/caddy
    }
    reverse_proxy 10.228.107.122:3000
}

# files.fismen.no — Filebrowser (container: filebrowser)
files.fismen.no {
        reverse_proxy 10.228.107.67:8080
}

# monitor.fismen.no — Beszel hub (container: beszel)
monitor.fismen.no {
        reverse_proxy 10.228.107.118:8090
}

# outline.fismen.no — Outline wiki (container: outline)
outline.fismen.no {
        reverse_proxy 10.228.107.254:3000
}

# photos.fismen.no — Immich (container: photos on cube, via Tailscale)
photos.fismen.no {
        reverse_proxy cube.little-lenok.ts.net:2283
}

# status.fismen.no — Gatus status page (container: gatus)
status.fismen.no {
        import tinyauth
        reverse_proxy 10.228.107.102:8080
}

# tiny.fismen.no — Tinyauth UI (container: tinyauth)
tiny.fismen.no {
        reverse_proxy 10.228.107.250:3000
}

# tv.fismen.no — Dispatcharr (container: tv)
tv.fismen.no {
        reverse_proxy 10.228.107.136:9191
}

# ugle.fismen.no — Frigate owl camera (native on royset, via Tailscale)
# TLS verification disabled as Frigate uses self-signed cert
ugle.fismen.no {
        reverse_proxy royset:8971 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

# vault.fismen.no — Vaultwarden (container: vaultwarden)
# Bound to Tailscale IP only — not publicly reachable
# Uses Cloudflare DNS challenge (CLOUDFLARE_API_TOKEN env var)
vault.fismen.no {
        bind 100.86.115.86
        reverse_proxy 10.228.107.31:8080

        tls {
                dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
}

# video.fismen.no — Plex (container: tv)
video.fismen.no {
        reverse_proxy 10.228.107.38:32400 {
                header_up Host {host}
                header_up X-Real-IP {remote_host}
                header_up X-Forwarded-For {remote_host}
                header_up X-Forwarded-Proto {scheme}
                transport http {
                        versions 1.1 2
                }
        }
}

# lageriet.org — static site, served from filesystem
lageriet.org {
        root * /var/www/lageriet
        file_server
}

# www.lageriet.org — redirect to apex
www.lageriet.org {
        redir https://lageriet.org{uri} permanent
}