nxdun · nxdun · May 12, 2026 · May 11, 2026 · May 11, 2026 · May 11, 2026
@@ -46,3 +46,5 @@ TF_VAR_YTDLP_PATH=REPLACE_WITH_TF_VAR_YTDLP_PATH
 TF_VAR_DOWNLOAD_DIR=REPLACE_WITH_TF_VAR_DOWNLOAD_DIR
 TF_VAR_MASTER_API_KEY=REPLACE_WITH_TF_VAR_MASTER_API_KEY
 TF_VAR_WARP_LICENSE_KEY=REPLACE_WITH_TF_VAR_WARP_LICENSE_KEY
+TF_VAR_GRAFANA_ADMIN_USER=REPLACE_WITH_GRAFANA_ADMIN_USER
+TF_VAR_GRAFANA_ADMIN_PASSWORD=REPLACE_WITH_GRAFANA_ADMIN_PASSWORD
@@ -0,0 +1,14 @@
+{
+  "mcpServers": {
+    "grafana": {
+      "command": "uvx",
+      "args": [
+        "mcp-grafana"
+      ],
+      "env": {
+        "GRAFANA_URL": "http://localhost:3000/",
+        "GRAFANA_SERVICE_ACCOUNT_TOKEN": ""
+      }
+    }
+  }
+}
@@ -1,34 +1,62 @@
-# Production Caddyfile.
+{
+    servers {
+        protocols h1
+        trusted_proxies static ${CADDY_CLOUDFLARE_TRUSTED_PROXIES}
+        trusted_proxies_strict
+        client_ip_headers CF-Connecting-IP X-Forwarded-For
+    }
+}
+
 :80 {
-	# note: Redirect all HTTP traffic to HTTPS
-	redir https://api.nadzu.me{uri}
+    redir https://${PRODUCTION_DOMAIN}{uri}
 }
 
-api.nadzu.me:443 {
-	tls /etc/caddy/certs/api.nadzu.me.pem /etc/caddy/certs/api.nadzu.me.key
-
-	@notallowed {
-		path /nadun/fs/*
-		not remote_ip <allowed_ip_address>
-	}
-    # note: Only Allow MY Personal VPN IP
-	abort @notallowed
-
-	route /nadun/fs/* {
-		uri strip_prefix /nadun/fs
-
-		@mp4 path *.mp4
-		header @mp4 {
-			Content-Type "video/mp4"
-			Content-Disposition "inline"
-			Access-Control-Allow-Origin "*"
-		}
-
-		file_server browse {
-			root /home/app/downloads
-			hide lost+found
-		}
-	}
-    # note: DockerCompose Native
-	reverse_proxy app:${APP_PORT}
+${PRODUCTION_DOMAIN}:443 {
+    tls /etc/caddy/certs/${PRODUCTION_DOMAIN}.pem /etc/caddy/certs/${PRODUCTION_DOMAIN}.key
+
+    # Global Matcher: Only your SSH/VPN IPs can pass
+    @internal_only {
+        not client_ip ${SSH_ALLOWED_IPS}
+    }
+
+    # 1. Protected File System
+    handle /nadun/fs/* {
+        respond @internal_only "Forbidden" 403
+
+        uri strip_prefix /nadun/fs
+        @mp4 path *.mp4
+        header @mp4 {
+            Content-Type "video/mp4"
+            Content-Disposition "inline"
+            Access-Control-Allow-Origin "*"
+        }
+
+        file_server {
+            browse /etc/caddy/browse.html
+            root /home/app/downloads
+            hide lost+found
+        }
+    }
+
+    # 2. Protected Grafana Dashboard
+    handle /nadun/grafana/* {
+        respond @internal_only "Forbidden" 403
+        reverse_proxy grafana:3000
+    }
+
+    # 3. Protected Metrics (Internal Telemetry)
+    handle /metrics {
+        respond @internal_only "Forbidden" 403
+        reverse_proxy app:8080
+    }
+
+    # 4. Public API
+    handle {
+        reverse_proxy app:${APP_PORT} {
+            header_up Host {host}
+            transport http {
+                versions 1.1
+            }
+        }
+    }
 }
@@ -1,32 +1,44 @@
 {
     debug
     admin :2026
-    email admin@nadzu.me
     auto_https disable_redirects
 }
 
-# HTTP Protocol
+# HTTP Protocol - Direct API Access
 http://:8080 {
-    handle {
-        reverse_proxy app:8080
-    }
+    reverse_proxy app:8080
 }
 
-# HTTPS Protocol
+# dev only: Redirect plain HTTP for nadzu.localhost to HTTPS permanently
+http://nadzu.localhost {
+    redir https://{host}{uri} 301
+}
+
+# HTTPS Protocol - Full Stack Access
 nadzu.localhost {
     tls internal
 
-    handle_path /downloads/* {
+    # 1. File System Access
+    handle_path /nadun/fs/* {
         root * /var/www/downloads
-
         file_server {
             browse /etc/caddy/browse.html
             hide lost+found
         }
     }
 
-    # Proxy everything else to the Rust backend
+    # 2. Local Grafana Access
+    handle /nadun/grafana/* {
+        reverse_proxy nadzu-grafana:3000
+    }
+
+    # 3. Local Metrics Access
+    handle /metrics {
+        reverse_proxy app:8080
+    }
+
+    # 4. Default API Proxy
     handle {
         reverse_proxy app:8080
     }
-}
+}