# auto_https off would disable TLS entirely, breaking `tls internal` for the
# air-gap mirror vhosts. disable_redirects keeps the apex/auth/packwiz sites
# plaintext on :80 (they use explicit http://) while still allowing internal
# TLS on the mirror hosts below.
{
	auto_https disable_redirects
}

http://{$BASE_DOMAIN} {
	# Launcher downloads live in a sibling mount (not nested under /srv/www,
	# which is a read-only mount → can't create a nested mountpoint).
	# handle_path strips the /launcher prefix before serving /srv/launcher.
	handle_path /launcher/* {
		root * /srv/launcher
		file_server browse
	}
	handle {
		root * /srv/www
		file_server
	}
}

http://auth.{$BASE_DOMAIN} {
	reverse_proxy drasl:25585
}

http://packwiz.{$BASE_DOMAIN} {
	root * /srv/pack
	file_server browse
}

# Full client air-gap mirror (see plan/11-full-airgap-mirror.md): byte-exact
# copies of the real upstream hosts served over HTTPS with Caddy's local CA.
# dnsmasq spoofs these hostnames -> our host; the {host} placeholder roots each
# hostname at its own mirror subtree. Guests import the Caddy root CA once.
meta.prismlauncher.org, piston-meta.mojang.com, piston-data.mojang.com, libraries.minecraft.net, maven.neoforged.net, resources.download.minecraft.net {
	tls internal
	root * /srv/mirror/{host}
	file_server
}
