server {
    listen 80;
    server_name _;
    root /usr/share/nginx/html;
    index index.html;

    # ERPNext API proxy — token injected server-side (never in JS bundle)
    location /api/ {
        proxy_pass https://erp.gigafibre.ca;
        proxy_ssl_verify off;
        proxy_set_header Host erp.gigafibre.ca;
        proxy_set_header Authorization "token b273a666c86d2d0:06120709db5e414";
        proxy_set_header X-Authentik-Email $http_x_authentik_email;
        proxy_set_header X-Authentik-Username $http_x_authentik_username;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }

    # NOTE: Ollama Vision proxy removed 2026-04-22 — all invoice OCR and
    # barcode/equipment scans now go directly to targo-hub (Gemini 2.5 Flash).
    # See docs/VISION_AND_OCR.md.

    # Targo Hub API proxy — vision, devices, etc.
    location /hub/ {
        resolver 127.0.0.11 valid=10s;
        set $hub_upstream http://targo-hub:3300;
        proxy_pass $hub_upstream/;
        proxy_set_header Host $host;
        proxy_set_header X-Authentik-Email $http_x_authentik_email;
        proxy_set_header X-Authentik-Username $http_x_authentik_username;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 60s;
        client_max_body_size 20m;
    }

    # SPA fallback
    location / {
        try_files $uri $uri/ /index.html;
    }

    location = /index.html {
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }
    location = /sw.js {
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }

    location /assets/ {
        expires 30d;
        add_header Cache-Control "public, immutable";
    }
}