events {
    worker_connections 1024;
}

http {
    upstream web {
        server web:3000;
    }

    upstream cms {
        server cms:1337;
    }

    upstream authentik {
        server authentik-server:9000;
    }

    server {
        listen 80;
        server_name _;

        client_max_body_size 100M;

        # Redirect all HTTP to HTTPS (optional — remove if no SSL yet)
        # location / {
        #     return 301 https://$host$request_uri;
        # }

        # --- Authentik (SSO) accessible at /auth ---
        location /auth/ {
            proxy_pass http://authentik;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # --- Next.js Auth API routes ---
        location /api/auth/ {
            proxy_pass http://web;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # --- AFC Store API (if enabled) ---
        location /api/afc/ {
            proxy_pass http://web;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # --- Strapi API ---
        location /api/ {
            proxy_pass http://cms;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # --- Strapi Admin Panel ---
        location /admin {
            proxy_pass http://cms;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # --- Strapi Uploads ---
        location /uploads/ {
            proxy_pass http://cms;
            proxy_set_header Host $host;
        }

        # --- Next.js Frontend (catch-all) ---
        location / {
            proxy_pass http://web;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # --- Certbot challenge ---
        location /.well-known/acme-challenge/ {
            root /var/www/certbot;
        }
    }
}