{
	email office@linumiq.com
	on_demand_tls {
		# Self-hosted ask endpoint on :9999 (always 200 in Wave A).
		# TODO Wave B: point ask at https://api.linumiq.net/functions/v1/check-subdomain
		# (an Edge Function that returns 200 only for subdomains present in tunnels table).
		ask http://localhost:9999/check
	}
}

# Apex -> dashboard redirect
linumiq.net {
	tls {
		on_demand
	}
	redir https://app.linumiq.net{uri} permanent
}

# Reserved hostname: Next.js dashboard (upstream not yet running in Wave A)
app.linumiq.net {
	tls {
		on_demand
	}
	reverse_proxy web:3000
}

# Reserved hostname: Supabase API (Kong)
api.linumiq.net {
	tls {
		on_demand
	}
	reverse_proxy supabase-kong:8000
}

# Wildcard tunnel subdomains -> frps vhost HTTP. Per-name HTTP-01 issued on first hit.
*.linumiq.net {
	tls {
		on_demand
	}
	reverse_proxy frps:7080
}

# Internal ask endpoint for on-demand TLS. Bound to loopback inside the container.
http://localhost:9999 {
	respond /check 200
}
