# /etc/nginx/sites-available/musehub
# This is the final config AFTER Certbot has added SSL.
# Certbot auto-generates a version like this; included here for reference/recovery.

server {
    listen 80;
    listen [::]:80;
    server_name musehub.ai www.musehub.ai;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name musehub.ai www.musehub.ai;

    ssl_certificate     /etc/letsencrypt/live/musehub.ai/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/musehub.ai/privkey.pem;
    include             /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;

    client_max_body_size 50m;

    # Push endpoints need a longer timeout — large repos can take several
    # seconds to serialize and write all objects. 60s causes 502 on first push.
    # /push/objects is Phase 1 of the chunked push protocol (object pre-upload).
    # /push is Phase 2 (commits + snapshots, refs updated atomically).
    location ~ ^/[^/]+/[^/]+/push(/objects)?$ {
        proxy_pass         http://127.0.0.1:10003;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout 300s;
    }

    # Proxy all other traffic to the MuseHub uvicorn container
    location / {
        proxy_pass         http://127.0.0.1:10003;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade           $http_upgrade;
        proxy_set_header   Connection        "upgrade";
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout 60s;
    }
}