# /etc/nginx/sites-available/kenjim.conf
#
# SSL reverse proxy for kenjim.com subdomains.
# Certificate managed by acme.sh (DNS-01 via GoDaddy).
# Cert path: /etc/nginx/ssl/kenjim.com/

# Redirect all HTTP to HTTPS
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
}

# Drop requests for unknown hostnames at SSL level (no response)
server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    ssl_certificate     /etc/nginx/ssl/kenjim.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;

    return 444;
}

# Gitea — git.kenjim.com
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name git.kenjim.com;

    ssl_certificate     /etc/nginx/ssl/kenjim.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;

    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    # Gitea runs directly on the host (systemd), not in Docker
    location / {
        proxy_pass         http://127.0.0.1:3000;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
}

# www.kenjim.com — update proxy_pass when container is running
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.kenjim.com;

    ssl_certificate     /etc/nginx/ssl/kenjim.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;

    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        proxy_pass         http://127.0.0.1:8080;  # update port to match container
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
}

# kenji.kenjim.com — update proxy_pass when container is running
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name kenji.kenjim.com;

    ssl_certificate     /etc/nginx/ssl/kenjim.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;

    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        proxy_pass         http://127.0.0.1:8082;  # update port to match container
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
}

# gt.kenjim.com — CNAME pointing elsewhere; reject cleanly if it lands here
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name gt.kenjim.com;

    ssl_certificate     /etc/nginx/ssl/kenjim.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;

    return 444;
}