# Internal only (not in the browser URL):
# 9010 merchant API | 9011 exchange API | 9012 bank API
# 9013 bank landing | 9014 exchange landing | 9015 merchant landing
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt | 9024 forgejo | 9200 forgejo-ssh

{
    email info+koopa@hacktivism.ch
    http_port 9000
    https_port 9001
    auto_https disable_redirects
    # Caddy listens on 9001 behind VeciGate/https-proxy :443.
    # Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
    servers {
        protocols h1 h2
    }
}

(proxy_public) {
    header_up Host {host}
    header_up X-Forwarded-Host {host}
    header_up X-Forwarded-Proto {scheme}
    header_up X-Forwarded-Port 443
    header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
}

taler.hacktivism.ch {
    tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
    header Alt-Svc "clear"

    # Public landing first
    redir / /intro/ 302

    handle /intro* {
        reverse_proxy 127.0.0.1:9015 {
            import proxy_public
        }
    }

    # SPA: /webui → /webui/
    redir /webui /webui/ 302

    # Merchant API + WebUI (nginx :9010 → unix socket)
    reverse_proxy https://127.0.0.1:9010 {
        transport http {
            tls_insecure_skip_verify
        }
        import proxy_public
    }
}

exchange.hacktivism.ch {
    tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
    header Alt-Svc "clear"

    # Public landing first
    redir / /intro/ 302

    handle /intro* {
        reverse_proxy 127.0.0.1:9014 {
            import proxy_public
        }
    }

    reverse_proxy 127.0.0.1:9011 {
        import proxy_public
    }
}

bank.hacktivism.ch {
    header Alt-Svc "clear"

    # Public landing first
    redir / /intro/ 302

    handle /intro* {
        reverse_proxy 127.0.0.1:9013 {
            import proxy_public
        }
    }

    # Static terms/privacy on landing nginx :9013
    handle /terms* {
        reverse_proxy 127.0.0.1:9013 {
            import proxy_public
        }
    }
    handle /privacy* {
        reverse_proxy 127.0.0.1:9013 {
            import proxy_public
        }
    }

    reverse_proxy 127.0.0.1:9012 {
        import proxy_public
    }
}

castopod.hacktivism.ch {
    header Alt-Svc "clear"
    reverse_proxy 127.0.0.1:9020 {
        header_up Host {host}
        header_up X-Forwarded-For {remote_host}
    }
}

bonfire.hacktivism.ch {
    header Alt-Svc "clear"
    reverse_proxy 127.0.0.1:9021 {
        header_up Host {host}
        header_up X-Forwarded-For {remote_host}
        flush_interval -1
    }
}

prime.hacktivism.ch {
    header Alt-Svc "clear"
    reverse_proxy 127.0.0.1:9022 {
        header_up Host {host}
        header_up X-Forwarded-For {remote_host}
        flush_interval -1
    }
}

bt.hacktivism.ch {
    header Alt-Svc "clear"
    reverse_proxy 127.0.0.1:9023 {
        header_up Host {host}
        header_up X-Forwarded-For {remote_host}
    }
}

# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy)
git.hacktivism.ch {
    header Alt-Svc "clear"
    reverse_proxy 127.0.0.1:9024 {
        header_up Host {host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
        flush_interval -1
        transport http {
            read_timeout 3600s
            write_timeout 3600s
        }
    }
}

http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch, http://git.hacktivism.ch {
    handle /.well-known/acme-challenge/* {
        root * /var/www/acme
        file_server
    }
    handle {
        redir https://{host}{uri} permanent
    }
}
