# ═══════════════════════════════════════════════════════
#  Jool International — Caddyfile PRODUCTION
#  Domaine : jool-international.com
#  Caddy gère automatiquement HTTPS via Let's Encrypt
# ═══════════════════════════════════════════════════════

# Redirection www → non-www
www.jool-international.com {
    redir https://jool-international.com{uri} permanent
}

jool-international.com {

    # ── Fichiers statiques Django (WhiteNoise les sert aussi,
    #    mais Caddy est plus rapide pour les assets lourds) ──
    handle_path /static/* {
        root * /app/staticfiles
        file_server
        header Cache-Control "public, max-age=31536000, immutable"
    }

    # ── CVs uploadés : jamais accessibles publiquement ───
    handle /media/careers/cvs/* {
        respond 404
    }

    # ── Autres fichiers media ─────────────────────────────
    handle_path /media/* {
        root * /app/media
        file_server
        header Cache-Control "public, max-age=604800"
    }

    # ── Application Django (Gunicorn) ─────────────────────
    handle {
        reverse_proxy web:8000 {
            header_up X-Forwarded-Proto {scheme}
            header_up X-Real-IP {remote_host}
            transport http {
                read_timeout  60s
                write_timeout 60s
            }
        }
    }

    # ── En-têtes de sécurité ──────────────────────────────
    header {
        # HSTS — commencer à 1h, passer à 1 an après validation
        Strict-Transport-Security "max-age=3600; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        X-Frame-Options           "DENY"
        Referrer-Policy           "strict-origin-when-cross-origin"
        Permissions-Policy        "camera=(), microphone=(), geolocation=()"
        # Masquer la signature du serveur
        -Server
        -X-Powered-By
    }

    # ── Logs ──────────────────────────────────────────────
    log {
        output stdout
        format json
        level  WARN
    }

    # ── Encodage gzip/zstd automatique ───────────────────
    encode zstd gzip
}
