# Gitea — allows iframe embedding from admin (app.cmlite.org)
server {
    listen 80;
    server_name git.cmlite.org;
    add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;

    # Increase max body size for large git pushes (2GB)
    client_max_body_size 2048M;

    location / {
        set $upstream_gitea http://gitea-changemaker:3000;
        proxy_pass $upstream_gitea;
        proxy_hide_header X-Frame-Options;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# n8n — allows iframe embedding from admin (app.cmlite.org)
server {
    listen 80;
    server_name n8n.cmlite.org;
    add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;

    location / {
        set $upstream_n8n http://n8n-changemaker:5678;
        proxy_pass $upstream_n8n;
        proxy_hide_header X-Frame-Options;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# Grafana
server {
    listen 80;
    server_name grafana.cmlite.org;
    add_header X-Frame-Options "SAMEORIGIN" always;

    location / {
        set $upstream_grafana http://grafana-changemaker:3000;
        proxy_pass $upstream_grafana;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# NocoDB (data browser) — allows iframe embedding from admin (app.cmlite.org)
server {
    listen 80;
    server_name db.cmlite.org;
    add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;

    location / {
        set $upstream_nocodb http://changemaker-v2-nocodb:8080;
        proxy_pass $upstream_nocodb;
        proxy_hide_header X-Frame-Options;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# Listmonk
server {
    listen 80;
    server_name listmonk.cmlite.org;
    add_header X-Frame-Options "SAMEORIGIN" always;

    location / {
        set $upstream_listmonk http://listmonk-app:9000;
        proxy_pass $upstream_listmonk;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# MkDocs — allows iframe embedding from admin (app.cmlite.org)
server {
    listen 80;
    server_name docs.cmlite.org;
    add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;

    location / {
        set $upstream_mkdocs http://mkdocs-changemaker:8000;
        proxy_pass $upstream_mkdocs;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# Code Server — allows iframe embedding from admin (app.cmlite.org)
server {
    listen 80;
    server_name code.cmlite.org;
    add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;

    location / {
        set $upstream_code http://code-server-changemaker:8080;
        proxy_pass $upstream_code;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# MailHog (email testing) — allows iframe embedding from admin (app.cmlite.org)
server {
    listen 80;
    server_name mail.cmlite.org;
    add_header Content-Security-Policy "frame-ancestors 'self' app.cmlite.org" always;

    location / {
        set $upstream_mailhog http://mailhog-changemaker:8025;
        proxy_pass $upstream_mailhog;
        proxy_hide_header X-Frame-Options;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket support for MailHog live updates
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# --- Embed proxy ports (for iframe embedding without DNS/subdomain) ---
# These listen on dedicated ports so the admin GUI can iframe services via
# localhost:PORT, bypassing X-Frame-Options without needing *.localhost DNS.

server {
    listen 8881;
    location / {
        set $upstream_nocodb http://changemaker-v2-nocodb:8080;
        proxy_pass $upstream_nocodb;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 8882;
    location / {
        set $upstream_n8n http://n8n-changemaker:5678;
        proxy_pass $upstream_n8n;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {
    listen 8883;
    # Increase max body size for large git pushes (2GB)
    client_max_body_size 2048M;
    location / {
        set $upstream_gitea http://gitea-changemaker:3000;
        proxy_pass $upstream_gitea;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 8884;
    location / {
        set $upstream_mailhog http://mailhog-changemaker:8025;
        proxy_pass $upstream_mailhog;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# MkDocs built static site — root domain
server {
    listen 80;
    server_name cmlite.org;

    location / {
        set $upstream_site http://mkdocs-site-server-changemaker:80;
        proxy_pass $upstream_site;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# Homepage dashboard
server {
    listen 80;
    server_name home.cmlite.org;
    add_header X-Frame-Options "SAMEORIGIN" always;

    location / {
        set $upstream_homepage http://homepage-changemaker:3000;
        proxy_pass $upstream_homepage;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}