# =============================================================================
# NGINX CONFIG - hofmanns.ai
# =============================================================================

# Authentik SSO
server {
    listen 80;
    server_name auth.hofmanns.ai;
    
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name auth.hofmanns.ai;
    
    ssl_certificate /etc/nginx/ssl/hofmanns.ai.crt;
    ssl_certificate_key /etc/nginx/ssl/hofmanns.ai.key;
    
    location / {
        proxy_pass http://authentik-server:9000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# RustDesk Web (optional)
server {
    listen 80;
    server_name rustdesk.hofmanns.ai;
    
    location / {
        proxy_pass http://rustdesk-hbbs:21118;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# Forward Auth für alle geschützten Services
# Beispiel für einen Service hinter Authentik
server {
    listen 443 ssl http2;
    server_name portal.hofmanns.ai;
    
    ssl_certificate /etc/nginx/ssl/hofmanns.ai.crt;
    ssl_certificate_key /etc/nginx/ssl/hofmanns.ai.key;
    
    # Authentik Forward Auth
    location /outpost.goauthentik.io {
        proxy_pass http://authentik-server:9000/outpost.goauthentik.io;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    location / {
        auth_request /outpost.goauthentik.io/auth/nginx;
        error_page 401 = @goauthentik_proxy_signin;
        
        # Nach erfolgreicher Auth → weiterleiten zum Jetson
        proxy_pass http://JETSON_TUNNEL_OR_IP:3001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    
    location @goauthentik_proxy_signin {
        internal;
        add_header Set-Cookie $auth_cookie;
        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    }
}