server {
  listen 80;
  server_name skymoneybudget.com;

  # Redirect all HTTP to HTTPS
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;
  server_name skymoneybudget.com;

  # TLS certs (adjust paths if using certbot or another ACME client)
  ssl_certificate /etc/letsencrypt/live/skymoneybudget.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/skymoneybudget.com/privkey.pem;

  # Security headers
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Referrer-Policy "strict-origin-when-cross-origin" always;

  # Static web app
  root /var/www/skymoney/dist;
  index index.html;

  location / {
    try_files $uri /index.html;
  }

  # API reverse proxy
  location /api/ {
    proxy_pass http://127.0.0.1:8081/;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
  }
}