{
    # use pinned CA from ./localinfra/certs
    pki {
        ca local {
            name "Tangled Dev"
            root_cn "Tangled Dev Root"
            root {
                format pem_file
                cert /etc/caddy/certs/root.crt
                key /etc/caddy/certs/root.key
            }
        }
    }
}

# did-method-plc
plc.tngl.boltless.dev {
    tls internal
    reverse_proxy plc:8080
}

# pds
*.pds.tngl.boltless.dev, pds.tngl.boltless.dev {
    tls internal
    reverse_proxy pds:3000
}

# jetstream
jetstream.tngl.boltless.dev {
    tls internal
    reverse_proxy jetstream:6008
}

# knot
knot.tngl.boltless.dev {
    tls internal
    reverse_proxy knot:5555
}

# spindle
http://spindle.tngl.boltless.dev {
    reverse_proxy spindle:6555
}

spindle.tngl.boltless.dev {
    tls internal
    reverse_proxy spindle:6555
}

# knotmirror
mirror.tngl.boltless.dev {
    tls internal
    reverse_proxy knotmirror:7000
}

# zoekt (internal service)
zoekt.tngl.boltless.dev {
    tls internal

    # TODO: replace this with -indexserver_proxy flag
    handle_path /indexserver/* {
        reverse_proxy zoekt-tngl-indexserver:6060
    }

    handle {
        reverse_proxy zoekt-webserver:6070
    }
}

# appview
tngl.boltless.dev {
    tls internal
    reverse_proxy appview:3000
}

# pdsls
pdsls.tngl.boltless.dev {
    tls internal
    reverse_proxy pdsls:80
}

# bobbin (read appview / xrpc). permissive CORS so the web/ frontend in the
# browser can hit it cross-origin (bobbin serves no CORS headers itself).
bobbin.tngl.boltless.dev {
    tls internal
    @cors_preflight method OPTIONS
    handle @cors_preflight {
        header Access-Control-Allow-Origin "*"
        header Access-Control-Allow-Methods "GET, POST, OPTIONS"
        header Access-Control-Allow-Headers "Content-Type, authorization, atproto-proxy"
        header Access-Control-Max-Age "86400"
        respond 204
    }
    handle {
        header Access-Control-Allow-Origin "*"
        header Access-Control-Allow-Methods "GET, POST, OPTIONS"
        header Access-Control-Allow-Headers "Content-Type, authorization, atproto-proxy"
        reverse_proxy bobbin:8090
    }
}

# bobbin over plain http on :8090 with permissive CORS, for local web/ dev.
# bobbin serves no CORS headers itself (prod adds them at its reverse proxy).
:8090 {
    @cors_preflight method OPTIONS
    handle @cors_preflight {
        header Access-Control-Allow-Origin "*"
        header Access-Control-Allow-Methods "GET, POST, OPTIONS"
        header Access-Control-Allow-Headers "Content-Type, authorization, atproto-proxy"
        header Access-Control-Max-Age "86400"
        respond 204
    }
    handle {
        header Access-Control-Allow-Origin "*"
        header Access-Control-Allow-Methods "GET, POST, OPTIONS"
        header Access-Control-Allow-Headers "Content-Type, authorization, atproto-proxy"
        reverse_proxy bobbin:8090
    }
}
