server {
    listen 80;
    server_name _;
    root /usr/share/nginx/html;
    index index.html;

    # ERPNext API proxy — token injected server-side (never in JS bundle)
    location /api/ {
        proxy_pass https://erp.gigafibre.ca;
        proxy_ssl_verify off;
        proxy_set_header Host erp.gigafibre.ca;
        proxy_set_header Authorization "token b273a666c86d2d0:06120709db5e414";
        proxy_set_header X-Authentik-Email $http_x_authentik_email;
        proxy_set_header X-Authentik-Username $http_x_authentik_username;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }

    # Ollama Vision API proxy — for bill/invoice OCR
    location /ollama/ {
        proxy_pass http://ollama:11434/;
        proxy_set_header Host $host;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
        client_max_body_size 20m;
    }

    # SPA fallback
    location / {
        try_files $uri $uri/ /index.html;
    }

    location = /index.html {
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }
    location = /sw.js {
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }

    location /assets/ {
        expires 30d;
        add_header Cache-Control "public, immutable";
    }
}