merchant: start/health + certbot_renew (container nginx TLS :8081, ACME :8082)

This commit is contained in:
Hernâni Marques 2026-06-29 16:11:55 +02:00
parent ad85a60c62
commit 4823c8f602
No known key found for this signature in database
13 changed files with 795 additions and 0 deletions

View file

@ -0,0 +1,50 @@
# Container: /etc/nginx/sites-available/taler-merchant
# Enabled: sites-enabled/taler-merchant → this file
# Host publish: 9010/tcp (podman pasta). Caddy terminates public HTTPS and
# reverse_proxies to https://127.0.0.1:9010 (see configs/caddy/Caddyfile).
server {
listen 9010 ssl;
listen [::]:9010 ssl;
server_name taler.hacktivism.ch;
ssl_certificate /etc/letsencrypt/live/taler.hacktivism.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/taler.hacktivism.ch/privkey.pem;
access_log /var/log/nginx/merchant.log;
error_log /var/log/nginx/merchant.err;
# Public landing first (Caddy should also redir / → /intro/; this covers :9010)
location = / {
return 302 /intro/;
}
# Merchant-httpd only serves /terms and /privacy without trailing slash
location = /terms/ {
return 302 /terms;
}
location = /privacy/ {
return 302 /privacy;
}
location / {
proxy_pass http://unix:/var/run/taler-merchant/httpd/merchant-http.sock;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host "taler.hacktivism.ch";
proxy_set_header X-Forwarded-Proto "https";
}
}
server {
# ACME HTTP-01 is handled by Caddy :9000; this block kept for reference.
# listen 9010;
# listen [::]:9010;
server_name taler.hacktivism.ch;
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/.well-known/acme-challenge/;
}
}