# nginx reverse-proxy block for levcs-instance.
#
# Use this if your VPS already runs nginx (e.g. fronting Forgejo) and
# you'd rather add a server block than introduce Caddy. Assumes
# certbot-style cert paths; adjust for your own ACME setup.
#
# The instance terminates HTTP only — nginx handles TLS and forwards
# plaintext to 127.0.0.1:7117.

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name levcs.example.com;

	ssl_certificate     /etc/letsencrypt/live/levcs.example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/levcs.example.com/privkey.pem;

	# Federation surface and the operational health probe. Anything
	# else returns 404 — no web UI exists yet, so be explicit.
	location ~ ^/(levcs/v1|health) {
		proxy_pass         http://127.0.0.1:7117;
		proxy_http_version 1.1;
		proxy_set_header   Host              $host;
		proxy_set_header   X-Real-IP         $remote_addr;
		proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
		proxy_set_header   X-Forwarded-Proto $scheme;

		# Pack responses can be large on a fresh clone. Long timeouts
		# keep slow connections from being cut off mid-stream.
		proxy_read_timeout  5m;
		proxy_send_timeout  5m;
		client_max_body_size 1g;

		# Federation request signing covers the body via BLAKE3, so
		# nginx must not buffer a request to a temp file and silently
		# rewrite it — pass through unchanged.
		proxy_request_buffering off;
	}

	location / {
		return 404;
	}

	access_log /var/log/nginx/levcs.access.log;
	error_log  /var/log/nginx/levcs.error.log warn;
}

# HTTP → HTTPS redirect. Drop this if certbot manages it for you.
server {
	listen 80;
	listen [::]:80;
	server_name levcs.example.com;
	return 301 https://$host$request_uri;
}