netbird-gitops/poc/ansible/templates/Caddyfile.j2

{
  servers :80,:443 {
    protocols h1 h2c h2 h3
  }
  email vlad.stus@gmail.com
}

(security_headers) {
    header * {
        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        X-XSS-Protection "1; mode=block"
        -Server
        Referrer-Policy strict-origin-when-cross-origin
    }
}

{{ netbird_domain }} {
    import security_headers

    # Embedded IdP OAuth2 endpoints
    reverse_proxy /oauth2/* management:80
    reverse_proxy /.well-known/openid-configuration management:80
    reverse_proxy /.well-known/jwks.json management:80

    # NetBird Relay
    reverse_proxy /relay* relay:80

    # NetBird Signal (gRPC)
    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000

    # NetBird Management API (gRPC)
    reverse_proxy /management.ManagementService/* h2c://management:80

    # NetBird Management REST API
    reverse_proxy /api/* management:80

    # Reconciler API (strip /reconciler prefix before proxying)
    handle_path /reconciler/* {
        reverse_proxy reconciler:{{ reconciler_port }}
    }

    # NetBird Dashboard (catch-all — must be last)
    reverse_proxy /* dashboard:80
}