# nginx.conf (or drop in /etc/nginx/sites-available/cathode)
#
# This config:
#   1. Serves the Cathode static files at the root
#   2. Proxies /api/* to WeeChat's relay with WebSocket support
#   3. Handles TLS termination (you must provide your own certs, or use
#      certbot: sudo certbot --nginx -d cathode.example.com)
#
# Replace cathode.example.com and cert paths as needed.

server {
    listen 80;
    server_name cathode.example.com;

    # Redirect all HTTP → HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name cathode.example.com;

    # TLS certificates (use certbot or provide your own)
    ssl_certificate     /etc/letsencrypt/live/cathode.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cathode.example.com/privkey.pem;

    # Modern TLS settings
    ssl_protocols             TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_session_cache         shared:SSL:10m;
    ssl_session_timeout       1d;

    # Serve Cathode static files
    root  /var/www/cathode;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }

    # Proxy WeeChat relay API — REST and WebSocket
    # WeeChat listens on localhost:9000 — adjust if needed
    location /api {

        proxy_pass http://localhost:9000;

        # Required for WebSocket upgrade
        proxy_http_version 1.1;
        proxy_set_header Upgrade    $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Standard proxy headers
        proxy_set_header Host            $host;
        proxy_set_header X-Real-IP       $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # WebSocket connections can be long-lived — raise the timeouts
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        proxy_connect_timeout 10s;

        # Disable buffering for real-time streaming
        proxy_buffering off;
    }

    # Security headers
    add_header X-Content-Type-Options  nosniff          always;
    add_header X-Frame-Options         DENY             always;
    add_header Referrer-Policy         strict-origin-when-cross-origin always;

    # Compression
    gzip            on;
    gzip_types      text/css application/javascript text/plain;
    gzip_min_length 1024;
}


# ── Local / LAN setup (no domain, plain HTTP) ────────────────────────────────
# If you're on a LAN without a domain, use this simpler block.
# Cathode connect screen: uncheck TLS, use ws:// (port 8080 here).
#
# server {
#     listen 8080;
#
#     root  /var/www/cathode;
#     index index.html;
#
#     location / {
#         try_files $uri $uri/ =404;
#     }
#
#     location /api {
#         proxy_pass http://localhost:9000;
#         proxy_http_version 1.1;
#         proxy_set_header Upgrade    $http_upgrade;
#         proxy_set_header Connection "upgrade";
#         proxy_read_timeout 3600s;
#         proxy_buffering off;
#     }
# }