events {}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    resolver 127.0.0.11 ipv6=off;

    # ───────────── upstreams to Docker services ─────────────
    upstream backend5000 { server server1:5000; }   # auth & free
    upstream backend5001 { server server2:5001; }   # onet, distance, etc.
    upstream backend5002 { server server3:5002; }   # premium
    upstream gitea_backend { server gitea:3000; }   # gitea service (shared network)
    upstream woodpecker_backend { server woodpecker-server:8000; }

    ########################################################################
    # 1.  HTTP → HTTPS redirect for the main site
    ########################################################################
    server {
        listen 80;
        listen [::]:80;
        server_name dev1.aptivaai.com;
        return 301 https://$host$request_uri;
    }

    ########################################################################
    # 2.  Main virtual host  (dev1.aptivaai.com)  on :443
    ########################################################################
    server {
        listen 443 ssl;
        http2  on;                     # modern syntax
        server_name dev1.aptivaai.com;

        ssl_certificate     /etc/letsencrypt/live/dev1.aptivaai.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/dev1.aptivaai.com/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;

        # ───── React static assets ─────
        root /usr/share/nginx/html;
        index index.html;
        location / {
            try_files $uri $uri/ /index.html;
        }
        location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2?|eot|ttf|svg)$ {
            expires 6M;
            access_log off;
        }

        # ───── API reverse‑proxy rules ─────
        location ^~ /api/onet/          { proxy_pass http://backend5001; }
        location ^~ /api/chat/          { proxy_pass http://backend5001; proxy_http_version 1.1; proxy_buffering off; }
        location ^~ /api/job-zones      { proxy_pass http://backend5001; }
        location ^~ /api/salary         { proxy_pass http://backend5001; }
        location ^~ /api/cip/           { proxy_pass http://backend5001; }
        location ^~ /api/tuition/       { proxy_pass http://backend5001; }
        location ^~ /api/projections/   { proxy_pass http://backend5001; }
        location ^~ /api/skills/        { proxy_pass http://backend5001; }
        location ^~ /api/ai-risk        { proxy_pass http://backend5002; }
        location ^~ /api/maps/distance  { proxy_pass http://backend5001; }
        location ^~ /api/schools        { proxy_pass http://backend5001; }
        location ^~ /api/support        { proxy_pass http://backend5001; }
        location ^~ /api/data/          { proxy_pass http://backend5001; }
        location ^~ /api/careers/       { proxy_pass http://backend5001; }
        location ^~ /api/programs/      { proxy_pass http://backend5001; }
        
        location ^~ /api/premium/       { proxy_pass http://backend5002; }
        location ^~ /api/public/        { proxy_pass http://backend5002; }

        location ^~ /api/               { proxy_pass http://backend5000; }

        # shared proxy headers
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        error_page 502 503 504 /50x.html;
        location = /50x.html { root /usr/share/nginx/html; }
    }

    ########################################################################
    # 3.  Gitea virtual host  (HTTPS)  gitea.dev1.aptivaai.com
    ########################################################################
    server {
        listen 443 ssl;
        http2  on;
        server_name gitea.dev1.aptivaai.com;
        client_max_body_size 1024m;

        ssl_certificate     /etc/letsencrypt/live/gitea.dev1.aptivaai.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/gitea.dev1.aptivaai.com/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;

        location / {
            proxy_pass http://gitea_backend;
            proxy_set_header Host              $host;
            proxy_set_header X-Real-IP         $remote_addr;
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
        }
    }

    ########################################################################
    # 4.  Gitea HTTP → HTTPS redirect
    ########################################################################
    server {
        listen 80;
        server_name gitea.dev1.aptivaai.com;
        return 301 https://$host$request_uri;
    }
  ########################################################################
# 5.  Woodpecker CI  –  HTTPS  ci.dev1.aptivaai.com
########################################################################

server {
    listen 443 ssl;
    http2  on;
    server_name  ci.dev1.aptivaai.com;

    ssl_certificate      /etc/letsencrypt/live/ci.dev1.aptivaai.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/ci.dev1.aptivaai.com/privkey.pem;
    ssl_protocols        TLSv1.2 TLSv1.3;

    location / {
        proxy_http_version 1.1;
        proxy_set_header   Connection            "";
        proxy_set_header   Host                  $host;
        proxy_set_header   X-Real-IP             $remote_addr;
        proxy_set_header   X-Forwarded-For       $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto     https;
        proxy_pass         http://woodpecker_backend;
    }
}

########################################################################
# 6.  Woodpecker  –  HTTP → HTTPS redirect
########################################################################
server {
    listen 80;
    server_name ci.dev1.aptivaai.com;
    return 301 https://$host$request_uri;
}}