# Port map (final):
#   9000 Caddy HTTP  (redirect + ACME webroot)
#   9001 Caddy HTTPS
#   9010 taler-hacktivism (merchant nginx TLS)
#   9011 taler-exchange-hacktivism (exchange httpd)
#   9012 taler-bank-hacktivism (libeufin-bank)

{
	email info+koopa@hacktivism.ch
	http_port 9000
	https_port 9001
	auto_https disable_redirects
	# Caddy listens on 9001 behind VeciGate/https-proxy :443.
	# Default HTTP/3 would send Alt-Svc: h3=":9001" which browsers then try
	# on the public host — port 9001 is not the public HTTPS entry (443 is).
	# That breaks sites after first visit (especially dual-stack clients).
	servers {
		protocols h1 h2
	}
}

taler.hacktivism.ch {
	tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
	header Alt-Svc "clear"
	reverse_proxy https://127.0.0.1:9010 {
		transport http {
			tls_insecure_skip_verify
		}
		header_up Host {host}
	}
}

exchange.hacktivism.ch {
	tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
	header Alt-Svc "clear"
	reverse_proxy 127.0.0.1:9011 {
		header_up Host {host}
	}
}

bank.hacktivism.ch {
	header Alt-Svc "clear"
	handle_path /intro/* {
		root * /var/www/bank-landing
		file_server
	}
	redir /intro /intro/ 302
	redir / /intro/ 302

	reverse_proxy 127.0.0.1:9012 {
		header_up Host {host}
	}
}

http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch {
	handle /.well-known/acme-challenge/* {
		root * /var/www/acme
		file_server
	}
	handle {
		redir https://{host}{uri} permanent
	}
}
