# conf.d — only upstream/server blocks here

# upstream (used consistently)
upstream app1_up {
    zone app1_up 64k;
    server app1:8000 resolve;
}

# default catch-all on port 80 (health + static + proxy)
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    access_log /var/log/nginx/tsmatter.access.log;
    error_log  /var/log/nginx/tsmatter.error.log info;

    location = /_ping {
        proxy_pass http://app1_up/_ping;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_connect_timeout 5s;
        proxy_read_timeout 10s;
    }

    location /static/ {
        alias /app/static/;
        access_log off;
        expires 1d;
    }

    location / {
        proxy_pass http://app1_up;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Connection "";
        proxy_buffering off;
        proxy_connect_timeout 5s;
        proxy_read_timeout 60s;
    }
}

# redirect HTTP -> HTTPS for construction.tsmatter.com
server {
    listen 80;
    listen [::]:80;
    server_name construction.tsmatter.com;
    return 301 https://$host$request_uri;
}

# HTTPS server for construction.tsmatter.com
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name construction.tsmatter.com;

    root /usr/share/nginx/html;
    index construction.tsmatter.html index.html;
    
    ssl_certificate     /etc/ssl/fullchain.crt;
    ssl_certificate_key /etc/ssl/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/tsmatter.access.log;
    error_log  /var/log/nginx/tsmatter.error.log info;

    # API routes proxied to app
    location /api/v1/ {
        proxy_pass http://app1_up;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 90s;
        proxy_connect_timeout 5s;
        proxy_send_timeout 30s;
    }

    location ^~ /api/ {
        proxy_pass http://app1:8000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        proxy_redirect off;
    }

    # serve static files first; if not found, return index.html; otherwise proxy to app
    location / {
        try_files $uri $uri/ index.html @app;
    }

    location @app {
        proxy_pass http://app1:8000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }

    # TEMP PoC stub — exact match so it wins over proxy
    location = /api/v1/tax-audit/finance/invoices/process {
        add_header X-Stub "nginx-poc" always;
        add_header Content-Type "application/json; charset=utf-8" always;
        add_header Access-Control-Allow-Origin "*" always;
        add_header Access-Control-Allow-Headers "Content-Type,Authorization" always;
        add_header Access-Control-Allow-Methods "GET,POST,OPTIONS" always;
        return 200 '{"message":"invoice process (PoC) accepted","result":{"total":1840}}';
    }
}