server {
    listen 80;
    server_name _;
    root /usr/share/nginx/html;
    index index.html;

    resolver 127.0.0.11 valid=30s;

    # ERPNext API proxy — token injected server-side (never in JS bundle)
    # To rotate: edit this file + docker restart ops-frontend
    location /api/ {
        proxy_pass https://erp.gigafibre.ca;
        proxy_ssl_verify off;
        proxy_set_header Host erp.gigafibre.ca;
        proxy_set_header Authorization "token b273a666c86d2d0:06120709db5e414";
        proxy_set_header X-Authentik-Email $http_x_authentik_email;
        proxy_set_header X-Authentik-Username $http_x_authentik_username;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }

    # NOTE: Ollama Vision proxy removed 2026-04-22 — invoice OCR and all
    # barcode/equipment scans now go directly to targo-hub (Gemini 2.5 Flash).
    # See docs/VISION_AND_OCR.md. The hub handles CORS + rate-limit, so no
    # nginx pass-through is needed here.

    # SPA fallback — all routes serve index.html
    location / {
        try_files $uri $uri/ /index.html;
    }

    # No cache for index.html and service worker
    location = /index.html {
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }
    location = /sw.js {
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }

    # Cache static assets (30 days, immutable)
    location /assets/ {
        expires 30d;
        add_header Cache-Control "public, immutable";
    }
}