# Cloudflare Tunnel Configuration for the Mac Mini production server.
#
# This file is the SINGLE SOURCE OF TRUTH for which public hostnames
# the tunnel exposes. The cloudflared launchd plist is started with
# `--config <this-file> run` so any change here is one `git pull` +
# `launchctl kickstart -k gui/501/com.cloudflare.cloudflared` away
# from being live in production.
#
# Adding a new public hostname:
#   1. Append the hostname / service line below in the matching section
#   2. Make sure the corresponding Cloudflare DNS record exists (the
#      tunnel needs the hostname pointing at its CNAME — see
#      `cloudflared tunnel route dns <tunnel-id> <hostname>` if not)
#   3. Run `./scripts/mac-mini/sync-tunnel-config.sh` to copy this file
#      onto the Mac Mini and reload cloudflared
#   4. Verify with `curl -sI https://<hostname>/health` (or the route's
#      equivalent) — expect a non-404 status line
#
# Removing a hostname: same steps, just delete the lines.
#
# Catch-all at the bottom returns http_status:404 for any hostname
# Cloudflare routes here that we don't have an explicit ingress rule
# for. This is the desired failure mode.

tunnel: 1435166a-0e3f-4222-8de6-744f32cea5c9
credentials-file: /Users/mana/.cloudflared/1435166a-0e3f-4222-8de6-744f32cea5c9.json

ingress:
  # ============================================
  # SSH (requires cloudflared on the client)
  # ============================================
  - hostname: ssh.mana.how
    service: ssh://localhost:22

  # ============================================
  # Unified Mana Web App (Port 5000)
  # ============================================
  # Every per-product subdomain points at the same SvelteKit container.
  # The container's hooks.server.ts reads the host header and renders
  # the matching module surface. mana.how itself is the dashboard.
  - hostname: mana.how
    service: http://localhost:5000
  - hostname: chat.mana.how
    service: http://localhost:5000
  - hostname: todo.mana.how
    service: http://localhost:5000
  - hostname: calendar.mana.how
    service: http://localhost:5000
  - hostname: clock.mana.how
    service: http://localhost:5000
  - hostname: contacts.mana.how
    service: http://localhost:5000
  - hostname: quotes.mana.how
    service: http://localhost:5000
  - hostname: skilltree.mana.how
    service: http://localhost:5000
  - hostname: plants.mana.how
    service: http://localhost:5000
  # cards.mana.how → standalone Cards SvelteKit container (apps/cards/apps/web).
  # Was pointed at :5000 (the unified mana-web) until the standalone spinoff
  # landed. mana.how/cards still serves the in-mana cards module.
  - hostname: cards.mana.how
    service: http://localhost:5180
  - hostname: storage.mana.how
    service: http://localhost:5000
  - hostname: presi.mana.how
    service: http://localhost:5000
  - hostname: food.mana.how
    service: http://localhost:5000
  - hostname: photos.mana.how
    service: http://localhost:5000
  - hostname: mukke.mana.how
    service: http://localhost:5000
  - hostname: picture.mana.how
    service: http://localhost:5000
  - hostname: calc.mana.how
    service: http://localhost:5000
  - hostname: citycorners.mana.how
    service: http://localhost:5000
  - hostname: inventar.mana.how
    service: http://localhost:5000
  - hostname: times.mana.how
    service: http://localhost:5000
  - hostname: uload.mana.how
    service: http://localhost:5000
  # memoro.mana.how moved off the unified mana web app (5000) to the
  # Memoro Astro landing container (Code/memoro/apps/landing → :3120) on
  # 2026-05-06. The standalone Memoro stack lives at memoro-api/audio
  # below; the landing is the public marketing site.
  # NB: keep this entry in the Memoro section, not the unified-app block.
  - hostname: context.mana.how
    service: http://localhost:5000
  - hostname: questions.mana.how
    service: http://localhost:5000
  - hostname: moodlit.mana.how
    service: http://localhost:5000

  # ============================================
  # Auth Service (Hono/Bun)
  # ============================================
  - hostname: auth.mana.how
    service: http://localhost:3001

  # ============================================
  # Unified Backend API (Hono/Bun, port 3060)
  # ============================================
  # apps/api hosts every product compute module (calendar, chat,
  # picture, planta, news, who, …) under /api/v1/{module}/*. The
  # unified web app's PUBLIC_MANA_API_URL_CLIENT points here.
  - hostname: mana-api.mana.how
    service: http://localhost:3060

  # ============================================
  # mana-ai — background AI Mission Runner
  # ============================================
  # Serves the user-facing decrypt-audit endpoint
  # /api/v1/me/ai-audit that powers the Workbench "Datenzugriff" tab.
  # The background tick loop + /metrics stay internal; only the
  # JWT-gated user endpoint is public.
  - hostname: mana-ai.mana.how
    service: http://localhost:3067

  # ============================================
  # API Gateway (Go)
  # ============================================
  # Older gateway in front of the per-service compute layer. New
  # services should go directly through mana-api above; this gateway
  # only handles legacy entry points.
  - hostname: api.mana.how
    service: http://localhost:3016

  # ============================================
  # Forgejo (Git + CI/CD)
  # ============================================

  # ============================================
  # Standalone microservices
  # ============================================
  - hostname: uload-api.mana.how
    service: http://localhost:3070
  - hostname: media.mana.how
    service: http://localhost:3011
  - hostname: llm.mana.how
    service: http://localhost:3025
  - hostname: sync.mana.how
    service: http://localhost:3010
  - hostname: credits.mana.how
    service: http://localhost:3002
  - hostname: subscriptions.mana.how
    service: http://localhost:3063
  - hostname: events.mana.how
    service: http://localhost:3065
  - hostname: research.mana.how
    service: http://localhost:3068
  - hostname: feedback.mana.how
    service: http://localhost:3064

  # ============================================
  # mana e.V. platform (Code/mana, separate repo)
  # Lives under ~/projects/mana-platform/ on the Mac Mini, deployed via
  # infrastructure/docker-compose.macmini.yml. Coexists with this stack.
  # ============================================
  - hostname: admin.mana.how
    service: http://localhost:3071
  - hostname: npm.mana.how
    service: http://localhost:4873

  # ============================================
  # Memoro (Code/memoro, separate repo)
  # ~/projects/memoro-deploy/ on the Mac Mini.
  # ============================================
  - hostname: memoro.mana.how
    service: http://localhost:3120
  # Web-App (SvelteKit static SPA). Lives next to memoro-api/memoro-audio
  # at first-level subdomain depth so Cloudflare Universal SSL covers it.
  - hostname: memoro-app.mana.how
    service: http://localhost:3130
  - hostname: memoro-api.mana.how
    service: http://localhost:3110
  - hostname: memoro-audio.mana.how
    service: http://localhost:3101

  # ============================================
  # Standalone web apps (separate containers)
  # ============================================
  - hostname: playground.mana.how
    service: http://localhost:5050
  - hostname: manavoxel.mana.how
    service: http://localhost:5028
  # ============================================
  # Who? Game (Standalone-Bun-Stack, native auf Mac Mini unter PM2)
  # Source: ~/projects/who/, Deploy-Doc: who/docs/MAC_MINI_DEPLOY.md
  # ============================================
  - hostname: who.mana.how
    service: http://localhost:5092
  - hostname: who-api.mana.how
    service: http://localhost:3092

  # ============================================
  # Self-hosted landing pages (Nginx on port 4400)
  # ============================================
  - hostname: it.mana.how
    service: http://localhost:4400
  - hostname: chats.mana.how
    service: http://localhost:4400
  - hostname: pics.mana.how
    service: http://localhost:4400
  - hostname: quotess.mana.how
    service: http://localhost:4400
  - hostname: presis.mana.how
    service: http://localhost:4400
  - hostname: clocks.mana.how
    service: http://localhost:4400
  - hostname: docs.mana.how
    service: http://localhost:4400

  # ============================================
  # Monitoring & observability
  # ============================================

  # ============================================
  # GPU services (NOT in this tunnel)
  # ============================================
  # gpu-llm / gpu-stt / gpu-tts / gpu-img / gpu-video / gpu-ollama
  # are served by a SEPARATE cloudflared tunnel running on the Windows
  # GPU box itself (`mana-gpu-server` tunnel ID 83454e8e-...). Routing
  # them via the Mac Mini's tunnel would cause DNS routing conflicts
  # because each Cloudflare DNS CNAME can only point at one tunnel.

  # ============================================
  # Catch-all (returns 404 for any unmapped hostname)
  # ============================================
  - service: http_status:404