# AITBC Agent-First Website - Nginx Configuration Example (Live-Only)
#
# This configuration serves ONLY live data from the blockchain RPC.
# No static JSON files - all endpoints query the node in real-time.
#
# Requirements:
#   - live_api.py running on port 8080
#   - aitbc-blockchain-rpc service running on port 8006
#
# Installation:
#   sudo cp nginx-example.conf /etc/nginx/sites-available/aitbc-agent
#   sudo ln -s /etc/nginx/sites-available/aitbc-agent /etc/nginx/sites-enabled/
#   sudo nginx -t
#   sudo systemctl reload nginx

server {
    listen 80;
    listen [::]:80;

    server_name aitbc.bubuit.net localhost;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;

    # ============================================
    # AGENT API - Live-only (real-time from RPC)
    # ============================================
    # All agent endpoints proxy to live_api.py service on port 8081
    # No static files - everything is queried live from blockchain

    location /agent/health {
        proxy_pass http://127.0.0.1:8081/agent/health;
        proxy_set_header Host $host;
        add_header Access-Control-Allow-Origin * always;
        add_header Cache-Control "no-cache, no-store, must-revalidate" always;
    }

    location /agent/discovery.json {
        proxy_pass http://127.0.0.1:8081/agent/discovery.json;
        proxy_set_header Host $host;
        add_header Access-Control-Allow-Origin * always;
        add_header Cache-Control "no-cache, no-store, must-revalidate" always;
    }

    location /agent/islands.json {
        proxy_pass http://127.0.0.1:8081/agent/islands.json;
        proxy_set_header Host $host;
        add_header Access-Control-Allow-Origin * always;
        add_header Cache-Control "no-cache, no-store, must-revalidate" always;
    }

    location /agent/chains.json {
        proxy_pass http://127.0.0.1:8081/agent/chains.json;
        proxy_set_header Host $host;
        add_header Access-Control-Allow-Origin * always;
        add_header Cache-Control "no-cache, no-store, must-revalidate" always;
    }

    # Agent landing page (static HTML for human readability)
    location /agent/ {
        alias /opt/aitbc/website/agent/;
        index index.html;
        try_files $uri $uri/ =404;
        
        # CORS headers
        add_header Access-Control-Allow-Origin * always;
        add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
        add_header Access-Control-Allow-Headers "Content-Type, Accept" always;
    }

    # ============================================
    # RPC ENDPOINTS - Direct blockchain access
    # ============================================
    location /rpc/ {
        proxy_pass http://127.0.0.1:8006/rpc/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        add_header Access-Control-Allow-Origin * always;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;

        if ($request_method = 'OPTIONS') {
            return 204;
        }
    }

    # ============================================
    # MAIN WEBSITE - Agent discovery interface
    # ============================================
    location / {
        root /opt/aitbc/website;
        index index.html;
        try_files $uri $uri/ =404;
    }

    # Static assets caching
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    # Logging
    access_log /var/log/nginx/aitbc-agent.access.log;
    error_log /var/log/nginx/aitbc-agent.error.log;
}