{
	# debug
	email peter@peterwood.dev
}

ptrwd.com {
	tls {
		dns cloudflare {
			zone_token {env.CF_ZONE_READ}
			api_token {env.CF_DNS_EDIT}
		}
	}
	# this is the the wiki 
	reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300
}

wiki.ptrwd.com {
	tls {
		dns cloudflare {
			zone_token {env.CF_ZONE_READ}
			api_token {env.CF_DNS_EDIT}
		}
	}
	# Route ACME challenges explicitly to be handled internally by Caddy
	route /.well-known/acme-challenge/* {
		# No directive needed here; Caddy's internal handler takes precedence.
		# This prevents the challenge requests from being proxied.
	}

	# Proxy all other requests to the wiki
	route {
		reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300
	}
}

jellyfin.peterwood.rocks {
	tls {
		dns cloudflare {
			zone_token {env.CF_ZONE_READ}
			api_token {env.CF_DNS_EDIT}
		}
	}
	reverse_proxy host.docker.internal:8096
}

# Serve a simple text message for home.ptrwd.com
home.ptrwd.com {
	tls {
		dns cloudflare {
			zone_token {env.CF_ZONE_READ}
			api_token {env.CF_DNS_EDIT}
		}
	}
	# Debugging: Log all requests
	log {
		output stdout
		format console
	}
	# Allow connections only from private ranges and home IP using Cf-Connecting-Ip header
	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
	handle @allowAccess {
		respond "Welcome home!" 200 {
			close # Close the connection after responding
		}
	}
	handle {
		respond "Access denied" 403
	}
}

# Reverse proxy for sonarr.home.ptrwd.com
sonarr.home.ptrwd.com {
	tls {
		dns cloudflare {
			zone_token {env.CF_ZONE_READ}
			api_token {env.CF_DNS_EDIT}
		}
	}
	# Allow connections only from private ranges and home IP
	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
	handle @allowAccess {
		reverse_proxy ts-io.whale-woodpecker.ts.net:8989
	}
	handle {
		respond 403
	}
}

radarr.home.ptrwd.com {
	tls {
		dns cloudflare {
			zone_token {env.CF_ZONE_READ}
			api_token {env.CF_DNS_EDIT}
		}
	}
	# Allow connections only from private ranges and home IP
	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
	handle @allowAccess {
		reverse_proxy ts-io.whale-woodpecker.ts.net:7878
	}
	handle {
		respond 403
	}
}

io.docker.home.ptrwd.com {
	tls {
		dns cloudflare {
			zone_token {env.CF_ZONE_READ}
			api_token {env.CF_DNS_EDIT}
		}
	}
	# Allow connections only from private ranges and home IP
	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
	handle @allowAccess {
		reverse_proxy ts-io.whale-woodpecker.ts.net:5001
	}
	handle {
		respond 403
	}
}

europa.docker.home.ptrwd.com {
	tls {
		dns cloudflare {
			zone_token {env.CF_ZONE_READ}
			api_token {env.CF_DNS_EDIT}
		}
	}
	# Allow connections only from private ranges and home IP
	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
	handle @allowAccess {
		reverse_proxy ts-europa.whale-woodpecker.ts.net:5001
	}
	handle {
		respond 403
	}
}

racknerd.docker.home.ptrwd.com {
	tls {
		dns cloudflare {
			zone_token {env.CF_ZONE_READ}
			api_token {env.CF_DNS_EDIT}
		}
	}
	# Allow connections only from private ranges and home IP
	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
	handle @allowAccess {
		reverse_proxy ts-racknerd.whale-woodpecker.ts.net:5001
	}
	handle {
		respond 403
	}
}