{
	# Caddy sits behind HAProxy which passes raw TLS through on :8443.
	# ACME HTTP-01 challenges arrive on :80 via HAProxy's acl passthrough.
	http_port 80
	https_port 8443

	# HAProxy forwards connections to :8443 with a PROXY protocol v2
	# header (see haproxy.cfg `send-proxy-v2`).  The proxy_protocol
	# listener wrapper strips the header and exposes the real client IP
	# to Caddy's access log.  The `tls` wrapper must follow so that TLS
	# is terminated on the unwrapped connection.
	#
	# `allow` lists the networks permitted to send PROXY headers.
	# HAProxy runs in the host netns and reaches Caddy via host loopback
	# (see docker-compose.yml), so the only legitimate peer is loopback.
	servers :8443 {
		listener_wrappers {
			proxy_protocol {
				timeout 5s
				allow 127.0.0.0/8 ::1/128
			}
			tls
		}
	}
}

{$DOMAIN} {
	root * /srv
	file_server
}