# -----------------------------------------------------------------------------
#  Novarix Networks — Nginx site config
#
#  Place at: /etc/nginx/sites-available/novarix.uk
#  Then:    sudo ln -s /etc/nginx/sites-available/novarix.uk \
#                      /etc/nginx/sites-enabled/
#           sudo nginx -t && sudo systemctl reload nginx
#
#  This server listens on plain HTTP only — TLS termination happens upstream
#  in Nginx Proxy Manager. Adjust if you front it with something else.
# -----------------------------------------------------------------------------

server {
    listen      80;
    listen      [::]:80;
    server_name novarix.uk www.novarix.uk;

    # Static export from `npm run build` — this directory must exist after
    # the first deploy.
    root  /var/www/novarix.uk/out;
    index index.html;

    # Don't leak nginx version
    server_tokens off;

    # Reasonable defaults
    charset utf-8;
    client_max_body_size 1M;

    # ---------------------------------------------------------------------
    # Routing for Next.js static export
    # ---------------------------------------------------------------------
    # Pretty URLs: /services -> /services.html, falling back to 404.html
    location / {
        try_files $uri $uri.html $uri/index.html =404;
    }

    # ---------------------------------------------------------------------
    # Caching
    # ---------------------------------------------------------------------
    # Hashed Next.js assets (JS/CSS/fonts) — cache forever, immutable
    location /_next/static/ {
        access_log off;
        add_header Cache-Control "public, max-age=31536000, immutable";
    }

    # Other static assets in /public — sensible long cache
    location ~* \.(?:ico|css|js|gif|jpe?g|png|webp|svg|woff2?|ttf|eot|json)$ {
        access_log off;
        add_header Cache-Control "public, max-age=2592000";
    }

    # robots / sitemap should not be cached aggressively
    location = /robots.txt {
        add_header Cache-Control "public, max-age=300";
    }
    location = /sitemap.xml {
        add_header Cache-Control "public, max-age=300";
    }

    # ---------------------------------------------------------------------
    # Hardening
    # ---------------------------------------------------------------------
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options        "SAMEORIGIN" always;
    add_header Referrer-Policy        "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy     "camera=(), microphone=(), geolocation=()" always;

    # Custom error page (Next.js generates this at build time)
    error_page 404 /404.html;

    # ---------------------------------------------------------------------
    # Don't serve hidden files
    # ---------------------------------------------------------------------
    location ~ /\.(?!well-known) {
        deny all;
    }
}