# nginx vhost for the RFC app — single-process FastAPI behind nginx,
# frontend served as static files from the Vite build output.
#
# Install:
#   sudo cp deploy/nginx/rfc.wiggleverse.org.conf \
#       /etc/nginx/sites-available/rfc.wiggleverse.org
#   sudo ln -s /etc/nginx/sites-available/rfc.wiggleverse.org \
#       /etc/nginx/sites-enabled/
#   sudo nginx -t && sudo systemctl reload nginx
#
# Then add the Let's Encrypt cert:
#   sudo certbot --nginx -d rfc.wiggleverse.org
# Certbot will rewrite this file to add the 443 listener and certificate
# directives; the rest of the config below stays as written.

server {
    listen 80;
    listen [::]:80;
    server_name rfc.wiggleverse.org;

    # Static SPA assets live in the Vite build output. The systemd unit
    # runs as user `rfc-app`; make sure nginx (usually `www-data`) can
    # read this path. Either group-add www-data into rfc-app's group, or
    # chmod o+r on the dist/ tree.
    root /opt/rfc-app/frontend/dist;
    index index.html;

    # API routes are proxied to the FastAPI process. SSE chat streams
    # need proxy_buffering off so chunks reach the browser immediately;
    # the long read_timeout matches a slow LLM turn.
    location /api/ {
        proxy_pass http://127.0.0.1:8000;
        proxy_http_version 1.1;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        proxy_cache off;
        proxy_read_timeout 1h;
    }

    location /auth/ {
        proxy_pass http://127.0.0.1:8000;
        proxy_http_version 1.1;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # SPA fallback — any non-asset path falls back to index.html so
    # React Router can take over.
    location / {
        try_files $uri $uri/ /index.html;
    }

    # Cache the hashed JS/CSS bundles aggressively; Vite includes a
    # content-hash in the filename so updates bust the cache for free.
    location ~* \.(js|css|woff2?|ttf|otf|eot|png|jpg|jpeg|gif|svg|ico)$ {
        try_files $uri =404;
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    # Reasonable upload cap. Adjust if RFC bodies grow large.
    client_max_body_size 4M;
}