# dss.overbits.luz.uy - Updated Nginx Configuration
# Updated: 2025-12-08
# Owner: overbits
# Description: Design System Server (DSS) - Production Build
# Serves static files directly + proxies API to FastAPI backend

server {
    server_name dss.overbits.luz.uy;

    access_log /var/log/nginx/dss_overbits_luz_uy_access.log;
    error_log /var/log/nginx/dss_overbits_luz_uy_error.log;

    # Basic Authentication (preserves existing security)
    auth_basic "DSS Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd_ds_overbits;

    # Root directory for static files (production build)
    root /home/overbits/apps/design-system-swarm/admin-ui/dist;
    index index.html;

    # Storybook proxy (unchanged)
    location /storybook/ {
        proxy_pass http://127.0.0.1:6006/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # API proxy to FastAPI backend (NEW)
    # This resolves CORS and ensures API requests use authenticated session
    location /api/ {
        proxy_pass http://127.0.0.1:8002;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Support for POST requests (browser logging)
        proxy_set_header Content-Type application/json;

        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    # Serve static files (admin-ui production build)
    location / {
        try_files $uri $uri/ /index.html;

        # Cache static assets
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
        }
    }

    # SSL configuration (unchanged)
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/dss.overbits.luz.uy/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/dss.overbits.luz.uy/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

# HTTP to HTTPS redirect (unchanged)
server {
    if ($host = dss.overbits.luz.uy) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name dss.overbits.luz.uy;
    listen 80;
    return 404; # managed by Certbot
}