timmy-config/deploy/conduit/Caddyfile

# Caddy configuration for Conduit Matrix homeserver
# Location: /etc/caddy/conf.d/matrix.conf (imported by main Caddyfile)
# Reference: docs/matrix-fleet-comms/README.md

matrix.timmy.foundation {
    # Reverse proxy to Conduit
    reverse_proxy localhost:8448 {
        # Headers for WebSocket upgrade (client sync)
        header_up Host {host}
        header_up X-Real-IP {remote}
        header_up X-Forwarded-For {remote}
        header_up X-Forwarded-Proto {scheme}
    }
    
    # Security headers
    header {
        X-Frame-Options DENY
        X-Content-Type-Options nosniff
        X-XSS-Protection "1; mode=block"
        Referrer-Policy strict-origin-when-cross-origin
        Permissions-Policy "geolocation=(), microphone=(), camera=()"
    }
    
    # Enable compression
    encode gzip zstd
    
    # Let's Encrypt automatic TLS
    tls {
        # Email for renewal notifications
        # Uncomment and set: email admin@timmy.foundation
    }
    
    # Logging
    log {
        output file /var/log/caddy/matrix-access.log {
            roll_size 100mb
            roll_keep 5
        }
    }
}

# Well-known delegation for Matrix federation
# Allows other servers to discover our homeserver
timmy.foundation {
    handle /.well-known/matrix/server {
        header Content-Type application/json
        respond `{"m.server": "matrix.timmy.foundation:443"}`
    }
    
    handle /.well-known/matrix/client {
        header Content-Type application/json
        header Access-Control-Allow-Origin *
        respond `{"m.homeserver": {"base_url": "https://matrix.timmy.foundation"}}`
    }
    
    # Redirect root to Element Web or documentation
    redir / https://matrix.timmy.foundation permanent
}