server {
    listen 80;
    server_name _;
    root /usr/share/nginx/html;
    index index.html;

    # DNS resolver for Docker
    resolver 127.0.0.11 valid=30s;

    # API proxy
    location /api {
        set $backend_upstream "veridian-preview-backend:3000";
        proxy_pass http://$backend_upstream;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # .well-known directory (serve directly)
    location /.well-known/ {
        try_files $uri =404;
        add_header Content-Type application/json;
    }

    # APK download
    location /visitorkiosk.apk {
        try_files $uri =404;
        add_header Content-Type application/vnd.android.package-archive;
        add_header Content-Disposition "attachment; filename=visitorkiosk.apk";
    }

    # Static assets (JS, CSS, images, fonts)
    location /assets/ {
        try_files $uri =404;
        add_header Cache-Control "public, max-age=31536000, immutable";
    }

    # HTML files - no cache to ensure fresh asset references
    location ~* \.(html)$ {
        try_files $uri =404;
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }

    # Frontend SPA routing
    location / {
        try_files $uri $uri/ /index.html;
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
}