# Internal only (not in the browser URL):
# 9010 merchant API | 9011 exchange API | 9012 bank API
# 9013 bank landing | 9014 exchange landing | 9015 merchant landing
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt

{
	email info+koopa@hacktivism.ch
	http_port 9000
	https_port 9001
	auto_https disable_redirects
	# Caddy listens on 9001 behind VeciGate/https-proxy :443.
	# Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
	servers {
		protocols h1 h2
	}
}

(proxy_public) {
	header_up Host {host}
	header_up X-Forwarded-Host {host}
	header_up X-Forwarded-Proto {scheme}
	header_up X-Forwarded-Port 443
	header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
}

taler.hacktivism.ch {
	tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
	header Alt-Svc "clear"

	# Public landing first
	redir / /intro/ 302

	handle /intro* {
		reverse_proxy 127.0.0.1:9015 {
			import proxy_public
		}
	}

	# SPA: /webui → /webui/
	redir /webui /webui/ 302

	# Merchant API + WebUI (nginx :9010 → unix socket)
	reverse_proxy https://127.0.0.1:9010 {
		transport http {
			tls_insecure_skip_verify
		}
		import proxy_public
	}
}

exchange.hacktivism.ch {
	tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
	header Alt-Svc "clear"

	# Public landing first
	redir / /intro/ 302

	handle /intro* {
		reverse_proxy 127.0.0.1:9014 {
			import proxy_public
		}
	}

	reverse_proxy 127.0.0.1:9011 {
		import proxy_public
	}
}

bank.hacktivism.ch {
	header Alt-Svc "clear"

	# Public landing first
	redir / /intro/ 302

	handle /intro* {
		reverse_proxy 127.0.0.1:9013 {
			import proxy_public
		}
	}

	# Static terms/privacy on landing nginx :9013 (optional; needs locations there)
	handle /terms* {
		reverse_proxy 127.0.0.1:9013 {
			import proxy_public
		}
	}
	handle /privacy* {
		reverse_proxy 127.0.0.1:9013 {
			import proxy_public
		}
	}

	reverse_proxy 127.0.0.1:9012 {
		import proxy_public
	}
}

castopod.hacktivism.ch {
	header Alt-Svc "clear"
	reverse_proxy 127.0.0.1:9020 {
		header_up Host {host}
		header_up X-Forwarded-For {remote_host}
	}
}

bonfire.hacktivism.ch {
	header Alt-Svc "clear"
	reverse_proxy 127.0.0.1:9021 {
		header_up Host {host}
		header_up X-Forwarded-For {remote_host}
		flush_interval -1
	}
}

prime.hacktivism.ch {
	header Alt-Svc "clear"
	reverse_proxy 127.0.0.1:9022 {
		header_up Host {host}
		header_up X-Forwarded-For {remote_host}
		flush_interval -1
	}
}

bt.hacktivism.ch {
	header Alt-Svc "clear"
	reverse_proxy 127.0.0.1:9023 {
		header_up Host {host}
		header_up X-Forwarded-For {remote_host}
	}
}

http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch {
	handle /.well-known/acme-challenge/* {
		root * /var/www/acme
		file_server
	}
	handle {
		redir https://{host}{uri} permanent
	}
}
