# nginx.conf — the-nexus.alexanderwhitestone.com
#
# DNS SETUP:
#   Add an A record pointing the-nexus.alexanderwhitestone.com → <VPS_IP>
#   Then obtain a TLS cert with Let's Encrypt:
#     certbot certonly --nginx -d the-nexus.alexanderwhitestone.com
#
# INSTALL:
#   sudo cp nginx.conf /etc/nginx/sites-available/the-nexus
#   sudo ln -sf /etc/nginx/sites-available/the-nexus /etc/nginx/sites-enabled/the-nexus
#   sudo nginx -t && sudo systemctl reload nginx

# ── HTTP → HTTPS redirect ────────────────────────────────────────────────────
server {
    listen 80;
    listen [::]:80;
    server_name the-nexus.alexanderwhitestone.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# ── HTTPS ────────────────────────────────────────────────────────────────────
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name the-nexus.alexanderwhitestone.com;

    # TLS — managed by Certbot; update paths if cert lives elsewhere
    ssl_certificate     /etc/letsencrypt/live/the-nexus.alexanderwhitestone.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/the-nexus.alexanderwhitestone.com/privkey.pem;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    # Security headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options    nosniff                                        always;
    add_header X-Frame-Options           SAMEORIGIN                                     always;
    add_header Referrer-Policy           strict-origin-when-cross-origin                always;

    # ── gzip ─────────────────────────────────────────────────────────────────
    gzip              on;
    gzip_vary         on;
    gzip_proxied      any;
    gzip_comp_level   6;
    gzip_min_length   1024;
    gzip_types
        text/plain
        text/css
        text/javascript
        application/javascript
        application/json
        application/wasm
        image/svg+xml
        font/woff
        font/woff2;

    # ── Health check endpoint ────────────────────────────────────────────────
    # Simple endpoint for uptime monitoring.
    location /health {
        return 200 "OK";
        add_header Content-Type text/plain;
    }

    # ── WebSocket proxy (/ws) ─────────────────────────────────────────────────
    # Forwards to the Hermes / presence backend running on port 8080.
    # Adjust the upstream address if the WS server lives elsewhere.
    location /ws {
        proxy_pass         http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_set_header   Host       $host;
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }

    # ── Static files — proxied to nexus-main Docker container ────────────────
    location / {
        proxy_pass         http://127.0.0.1:4200;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;

        # Long-lived cache for hashed/versioned assets
        location ~* \.(js|css|woff2?|ttf|otf|eot|svg|ico|png|jpg|jpeg|gif|webp|avif|wasm)$ {
            proxy_pass       http://127.0.0.1:4200;
            proxy_set_header Host $host;
            expires          1y;
            add_header       Cache-Control "public, immutable";
            access_log       off;
        }

        # index.html must always be revalidated
        location = /index.html {
            proxy_pass       http://127.0.0.1:4200;
            proxy_set_header Host $host;
            add_header       Cache-Control "no-cache, must-revalidate";
        }
    }
}