server {
    listen 80;
    server_name voix-du-peuple.example.com;

    # Redirection HTTPS (décommentez après avoir configuré Certbot)
    # return 301 https://$host$request_uri;

    root /opt/voix-du-peuple/artifacts/voix-du-peuple/dist/public;
    index index.html;

    # Sécurité
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # API Flask — proxy vers Gunicorn
    location /api/ {
        proxy_pass         http://127.0.0.1:8000;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout 60s;
    }

    # Frontend React — Single Page Application
    location / {
        try_files $uri $uri/ /index.html;
    }

    # Assets statiques — cache long
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}

# HTTPS — décommentez et adaptez après avoir obtenu votre certificat SSL
# server {
#     listen 443 ssl http2;
#     server_name voix-du-peuple.example.com;
#
#     ssl_certificate     /etc/letsencrypt/live/voix-du-peuple.example.com/fullchain.pem;
#     ssl_certificate_key /etc/letsencrypt/live/voix-du-peuple.example.com/privkey.pem;
#     ssl_protocols       TLSv1.2 TLSv1.3;
#     ssl_ciphers         HIGH:!aNULL:!MD5;
#
#     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#     add_header X-Content-Type-Options "nosniff" always;
#     add_header X-Frame-Options "DENY" always;
#     add_header X-XSS-Protection "1; mode=block" always;
#     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
#
#     root /opt/voix-du-peuple/artifacts/voix-du-peuple/dist/public;
#     index index.html;
#
#     location /api/ {
#         proxy_pass         http://127.0.0.1:8000;
#         proxy_set_header   Host              $host;
#         proxy_set_header   X-Real-IP         $remote_addr;
#         proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
#         proxy_set_header   X-Forwarded-Proto $scheme;
#         proxy_read_timeout 60s;
#     }
#
#     location / {
#         try_files $uri $uri/ /index.html;
#     }
#
#     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
#         expires 1y;
#         add_header Cache-Control "public, immutable";
#     }
# }