refactor: clean up configuration and add production infrastructure

- Add .aitbc.yaml configuration file with test values - Simplify .gitignore by removing merge conflicts and redundant entries - Reorganize .gitignore sections for better clarity - Set chain_id and proposer_id to empty strings in config.py (require explicit configuration) - Add production Helm values configuration - Add production nginx configuration - Update environment variable handling in chain settings
2026-03-19 12:59:34 +01:00
parent 5f2ab48b9a
commit b4b5a57390
111 changed files with 13106 additions and 346 deletions
--- a/infra/helm/values/prod.yaml
+++ b/infra/helm/values/prod.yaml
@@ -0,0 +1,140 @@
+# Production environment values
+global:
+  environment: production
+
+coordinator:
+  replicaCount: 3
+  image:
+    tag: "v0.1.0"
+  resources:
+    limits:
+      cpu: 2000m
+      memory: 2Gi
+    requests:
+      cpu: 1000m
+      memory: 1Gi
+  autoscaling:
+    enabled: true
+    minReplicas: 3
+    maxReplicas: 20
+    targetCPUUtilizationPercentage: 75
+    targetMemoryUtilizationPercentage: 80
+  config:
+    appEnv: production
+    allowOrigins: "https://app.aitbc.io"
+  postgresql:
+    auth:
+      existingSecret: "coordinator-db-secret"
+    primary:
+      persistence:
+        size: 200Gi
+        storageClass: fast-ssd
+      resources:
+        limits:
+          cpu: 2000m
+          memory: 4Gi
+        requests:
+          cpu: 1000m
+          memory: 2Gi
+    readReplicas:
+      replicaCount: 2
+      resources:
+        limits:
+          cpu: 1000m
+          memory: 2Gi
+        requests:
+          cpu: 500m
+          memory: 1Gi
+
+monitoring:
+  prometheus:
+    server:
+      retention: 90d
+      persistentVolume:
+        size: 500Gi
+        storageClass: fast-ssd
+      resources:
+        limits:
+          cpu: 2000m
+          memory: 4Gi
+        requests:
+          cpu: 1000m
+          memory: 2Gi
+  grafana:
+    adminPassword: "prod-admin-secure-2024"
+    persistence:
+      size: 50Gi
+      storageClass: fast-ssd
+    resources:
+      limits:
+        cpu: 1000m
+          memory: 2Gi
+        requests:
+          cpu: 500m
+          memory: 1Gi
+    ingress:
+      enabled: true
+      hosts:
+        - grafana.aitbc.io
+
+# Additional services
+blockchainNode:
+  replicaCount: 5
+  resources:
+    limits:
+      cpu: 2000m
+      memory: 2Gi
+    requests:
+      cpu: 1000m
+      memory: 1Gi
+  autoscaling:
+    enabled: true
+    minReplicas: 5
+    maxReplicas: 50
+    targetCPUUtilizationPercentage: 70
+
+walletDaemon:
+  replicaCount: 3
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+    requests:
+      cpu: 500m
+      memory: 512Mi
+  autoscaling:
+    enabled: true
+    minReplicas: 3
+    maxReplicas: 10
+    targetCPUUtilizationPercentage: 75
+
+# Ingress configuration
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/rate-limit: "100"
+    nginx.ingress.kubernetes.io/rate-limit-window: "1m"
+  hosts:
+    - host: api.aitbc.io
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: prod-tls
+      hosts:
+        - api.aitbc.io
+
+# Security
+podSecurityPolicy:
+  enabled: true
+
+networkPolicy:
+  enabled: true
+
+# Backup configuration
+backup:
+  enabled: true
+  schedule: "0 2 * * *"
+  retention: "30d"
--- a/infra/helm/values/prod/values.yaml
+++ b/infra/helm/values/prod/values.yaml
@@ -0,0 +1,259 @@
+# Production environment Helm values
+
+global:
+  environment: prod
+  domain: aitbc.bubuit.net
+  imageTag: stable
+  imagePullPolicy: IfNotPresent
+
+# Coordinator API
+coordinator:
+  enabled: true
+  replicas: 3
+  image:
+    repository: aitbc/coordinator-api
+    tag: stable
+  resources:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 2000m
+      memory: 2Gi
+  service:
+    type: ClusterIP
+    port: 8001
+  env:
+    LOG_LEVEL: warn
+    DATABASE_URL: secretRef:db-credentials
+  autoscaling:
+    enabled: true
+    minReplicas: 3
+    maxReplicas: 10
+    targetCPUUtilization: 60
+    targetMemoryUtilization: 70
+  livenessProbe:
+    initialDelaySeconds: 30
+    periodSeconds: 10
+  readinessProbe:
+    initialDelaySeconds: 5
+    periodSeconds: 5
+
+# Explorer Web
+explorer:
+  enabled: true
+  replicas: 3
+  image:
+    repository: aitbc/explorer-web
+    tag: stable
+  resources:
+    requests:
+      cpu: 200m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+  service:
+    type: ClusterIP
+    port: 3000
+  autoscaling:
+    enabled: true
+    minReplicas: 3
+    maxReplicas: 8
+
+# Marketplace Web
+marketplace:
+  enabled: true
+  replicas: 3
+  image:
+    repository: aitbc/marketplace-web
+    tag: stable
+  resources:
+    requests:
+      cpu: 200m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+  service:
+    type: ClusterIP
+    port: 3001
+  autoscaling:
+    enabled: true
+    minReplicas: 3
+    maxReplicas: 8
+
+# Wallet Daemon
+wallet:
+  enabled: true
+  replicas: 2
+  image:
+    repository: aitbc/wallet-daemon
+    tag: stable
+  resources:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 2000m
+      memory: 2Gi
+  service:
+    type: ClusterIP
+    port: 8002
+  autoscaling:
+    enabled: true
+    minReplicas: 2
+    maxReplicas: 6
+
+# Trade Exchange
+exchange:
+  enabled: true
+  replicas: 2
+  image:
+    repository: aitbc/trade-exchange
+    tag: stable
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+  service:
+    type: ClusterIP
+    port: 8085
+
+# PostgreSQL (prod uses RDS Multi-AZ)
+postgresql:
+  enabled: false
+  external:
+    host: secretRef:db-credentials:host
+    port: 5432
+    database: coordinator
+    sslMode: require
+
+# Redis (prod uses ElastiCache)
+redis:
+  enabled: false
+  external:
+    host: secretRef:redis-credentials:host
+    port: 6379
+    auth: true
+
+# Ingress
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/proxy-body-size: 10m
+    nginx.ingress.kubernetes.io/rate-limit: "100"
+    nginx.ingress.kubernetes.io/rate-limit-window: 1m
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  tls:
+    - secretName: prod-tls
+      hosts:
+        - aitbc.bubuit.net
+  hosts:
+    - host: aitbc.bubuit.net
+      paths:
+        - path: /api
+          service: coordinator
+          port: 8001
+        - path: /explorer
+          service: explorer
+          port: 3000
+        - path: /marketplace
+          service: marketplace
+          port: 3001
+        - path: /wallet
+          service: wallet
+          port: 8002
+        - path: /Exchange
+          service: exchange
+          port: 8085
+
+# Monitoring
+monitoring:
+  enabled: true
+  prometheus:
+    enabled: true
+    retention: 30d
+    resources:
+      requests:
+        cpu: 500m
+        memory: 2Gi
+      limits:
+        cpu: 2000m
+        memory: 4Gi
+  grafana:
+    enabled: true
+    persistence:
+      enabled: true
+      size: 10Gi
+  alertmanager:
+    enabled: true
+    config:
+      receivers:
+        - name: slack
+          slack_configs:
+            - channel: '#aitbc-alerts'
+              send_resolved: true
+
+# Logging
+logging:
+  enabled: true
+  level: warn
+  elasticsearch:
+    enabled: true
+    retention: 30d
+    replicas: 3
+
+# Pod Disruption Budgets
+podDisruptionBudget:
+  coordinator:
+    minAvailable: 2
+  explorer:
+    minAvailable: 2
+  marketplace:
+    minAvailable: 2
+  wallet:
+    minAvailable: 1
+
+# Network Policies
+networkPolicy:
+  enabled: true
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: ingress-nginx
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              name: kube-system
+      ports:
+        - port: 53
+          protocol: UDP
+
+# Security
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  fsGroup: 1000
+  readOnlyRootFilesystem: true
+
+# Affinity - spread across zones
+affinity:
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchLabels:
+              app: coordinator
+          topologyKey: topology.kubernetes.io/zone
+
+# Priority Classes
+priorityClassName: high-priority
--- a/infra/nginx/nginx-aitbc-reverse-proxy.conf
+++ b/infra/nginx/nginx-aitbc-reverse-proxy.conf
@@ -0,0 +1,247 @@
+# AITBC Nginx Reverse Proxy Configuration
+# Domain: aitbc.keisanki.net
+# This configuration replaces the need for firehol/iptables port forwarding
+
+# HTTP to HTTPS redirect
+server {
+    listen 80;
+    server_name aitbc.keisanki.net;
+    
+    # Redirect all HTTP traffic to HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+# Main HTTPS server block
+server {
+    listen 443 ssl http2;
+    server_name aitbc.keisanki.net;
+    
+    # SSL Configuration (Let's Encrypt certificates)
+    ssl_certificate /etc/letsencrypt/live/aitbc.keisanki.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/aitbc.keisanki.net/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
+    
+    # Enable gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json;
+    
+    # Blockchain Explorer (main route)
+    location / {
+        proxy_pass http://192.168.100.10:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+        
+        # WebSocket support if needed
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+    
+    # Coordinator API
+    location /api/ {
+        proxy_pass http://192.168.100.10:8000/v1/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+        
+        # CORS headers for API
+        add_header Access-Control-Allow-Origin "*" always;
+        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+        add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Api-Key" always;
+        
+        # Handle preflight requests
+        if ($request_method = 'OPTIONS') {
+            add_header Access-Control-Allow-Origin "*";
+            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Api-Key";
+            add_header Access-Control-Max-Age 1728000;
+            add_header Content-Type "text/plain; charset=utf-8";
+            add_header Content-Length 0;
+            return 204;
+        }
+    }
+    
+    # Blockchain Node 1 RPC
+    location /rpc/ {
+        proxy_pass http://192.168.100.10:8082/rpc/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+    }
+    
+    # Blockchain Node 2 RPC (alternative endpoint)
+    location /rpc2/ {
+        proxy_pass http://192.168.100.10:8081/rpc/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+    }
+    
+    # Exchange API
+    location /exchange/ {
+        proxy_pass http://192.168.100.10:9080/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+    }
+    
+    # Marketplace UI (if separate from explorer)
+    location /marketplace/ {
+        proxy_pass http://192.168.100.10:3001/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+        
+        # Handle subdirectory rewrite
+        rewrite ^/marketplace/(.*)$ /$1 break;
+    }
+    
+    # Admin dashboard
+    location /admin/ {
+        proxy_pass http://192.168.100.10:8080/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+        
+        # Optional: Restrict admin access
+        # allow 192.168.100.0/24;
+        # allow 127.0.0.1;
+        # deny all;
+    }
+    
+    # Health check endpoint
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+    
+    # API health checks
+    location /api/health {
+        proxy_pass http://192.168.100.10:8000/v1/health;
+        proxy_set_header Host $host;
+        access_log off;
+    }
+    
+    # Static assets caching
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        proxy_pass http://192.168.100.10:3000;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        add_header X-Content-Type-Options nosniff;
+        
+        # Don't log static file access
+        access_log off;
+    }
+    
+    # Deny access to hidden files
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+    
+    # Custom error pages
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /50x.html;
+    
+    location = /50x.html {
+        root /usr/share/nginx/html;
+    }
+}
+
+# Optional: Subdomain for API-only access
+server {
+    listen 443 ssl http2;
+    server_name api.aitbc.keisanki.net;
+    
+    # SSL Configuration (same certificates)
+    ssl_certificate /etc/letsencrypt/live/aitbc.keisanki.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/aitbc.keisanki.net/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    
+    # Security headers
+    add_header X-Frame-Options "DENY" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    
+    # API routes only
+    location / {
+        proxy_pass http://192.168.100.10:8000/v1/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+        
+        # CORS headers
+        add_header Access-Control-Allow-Origin "*" always;
+        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+        add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Api-Key" always;
+        
+        # Handle preflight requests
+        if ($request_method = 'OPTIONS') {
+            add_header Access-Control-Allow-Origin "*";
+            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Api-Key";
+            add_header Access-Control-Max-Age 1728000;
+            add_header Content-Type "text/plain; charset=utf-8";
+            add_header Content-Length 0;
+            return 204;
+        }
+    }
+}
+
+# Optional: Subdomain for blockchain RPC
+server {
+    listen 443 ssl http2;
+    server_name rpc.aitbc.keisanki.net;
+    
+    # SSL Configuration
+    ssl_certificate /etc/letsencrypt/live/aitbc.keisanki.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/aitbc.keisanki.net/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    
+    # Security headers
+    add_header X-Frame-Options "DENY" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    
+    # RPC routes
+    location / {
+        proxy_pass http://192.168.100.10:8082/rpc/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+    }
+}
--- a/infra/nginx/nginx-aitbc.conf
+++ b/infra/nginx/nginx-aitbc.conf
@@ -0,0 +1,133 @@
+# AITBC Services Nginx Configuration
+# Domain: https://aitbc.bubuit.net
+
+server {
+    listen 80;
+    server_name aitbc.bubuit.net;
+    
+    # Redirect to HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name aitbc.bubuit.net;
+    
+    # SSL Configuration (Let's Encrypt)
+    ssl_certificate /etc/letsencrypt/live/aitbc.bubuit.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/aitbc.bubuit.net/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    
+    # Security Headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+    
+    # API Routes
+    location /api/ {
+        proxy_pass http://127.0.0.1:8000/v1/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+    }
+    
+    # Blockchain RPC Routes
+    location /rpc/ {
+        proxy_pass http://127.0.0.1:9080/rpc/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+    }
+    
+    # Marketplace UI
+    location /Marketplace {
+        proxy_pass http://127.0.0.1:3001/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Handle subdirectory
+        rewrite ^/Marketplace/(.*)$ /$1 break;
+        proxy_buffering off;
+    }
+    
+    # Trade Exchange
+    location /Exchange {
+        proxy_pass http://127.0.0.1:3002/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Handle subdirectory
+        rewrite ^/Exchange/(.*)$ /$1 break;
+        proxy_buffering off;
+    }
+    
+    # Exchange API Routes
+    location /api/trades/ {
+        proxy_pass http://127.0.0.1:3003/api/trades/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+    }
+    
+    location /api/orders {
+        proxy_pass http://127.0.0.1:3003/api/orders;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+    }
+    
+    # Wallet CLI API (if needed)
+    location /wallet/ {
+        proxy_pass http://127.0.0.1:8000/wallet/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    
+    # Admin routes
+    location /admin/ {
+        proxy_pass http://127.0.0.1:8000/admin/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Restrict access (optional)
+        # allow 127.0.0.1;
+        # allow 10.1.223.0/24;
+        # deny all;
+    }
+    
+    # Health check
+    location /health {
+        proxy_pass http://127.0.0.1:8000/v1/health;
+        proxy_set_header Host $host;
+    }
+    
+    # Default redirect to Marketplace
+    location / {
+        return 301 /Marketplace;
+    }
+    
+    # Static file caching
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}