# FleetOps — static analytics SPA served by Caddy. # Traefik (via Coolify) terminates TLS, so Caddy is a plain :80 file server. # The only moving part is runtime API-base injection: Caddy's `templates` # directive evaluates {{env "API_BASE"}} inside /env.js at request time, so the # SAME image serves staging (fleetapi.fivetitude.com) and prod # (fleetapi.rahamafresh.com) — set API_BASE per Coolify app. :80 { root * /srv encode zstd gzip # Security headers (FO-SEC-03). CSP allows self + the two pinned CDNs, the # CARTO basemap (styles/tiles/fonts) and the fleet APIs; SRI in index.html # pins the CDN payloads themselves. frame-ancestors 'none' = no clickjacking. # script-src keeps 'unsafe-inline' because the whole app is one inline #