# Parsons demo host — drop into swag's /config/nginx/site-confs/ directory.
#
# Serves static demo slices at parsons.tensordesign.com.au/<slice>/ behind
# basic auth. One server block, one cert (Let's Encrypt via swag), one
# htpasswd covering all slices.
#
# Document root layout (host filesystem):
#   <host_path>/parsons-demos/
#     index.html              ← optional landing page listing slices
#     arrangement/
#       index.html
#       assets/...
#     <other-slices>/
#
# Bind-mount that directory into swag at /config/www/parsons-demos/ — the
# `root` directive below assumes that path. Adjust if you mount elsewhere.

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    server_name parsons.*;

    # swag manages the cert chain via SUBDOMAINS — make sure `parsons` is in
    # the SUBDOMAINS env var of the swag container so this resolves.
    include /config/nginx/ssl.conf;

    root /config/www/parsons-demos;
    index index.html;

    # One credential file covering every slice. Create with:
    #   docker exec -it swag htpasswd -c /config/nginx/.htpasswd-parsons client
    auth_basic "Parsons demos";
    auth_basic_user_file /config/nginx/.htpasswd-parsons;

    # Optional: don't auth the root listing if you want it publicly visible.
    # (Currently auth covers it too — change to `auth_basic off;` to expose.)

    # Root path serves the optional landing index.html if present, else 404.
    location = / {
        try_files /index.html =404;
    }

    # Long cache for fingerprinted assets — Vite produces hashed filenames so
    # this is safe. HTML is short-cache so updates land on next refresh.
    # NOTE: asset + html regex locations must come BEFORE the slice fallback
    # below, because nginx uses the first matching regex location.
    location ~* \.(?:js|css|woff2?|ttf|otf|eot|png|jpg|jpeg|gif|svg|webp|ico)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    location ~* \.html$ {
        expires -1;
        add_header Cache-Control "no-cache, must-revalidate";
    }

    # SPA fallback per slice. /<slice>/<react-route> resolves to that
    # slice's index.html so React Router handles the rest. Static assets
    # (.js/.css/.png/etc.) are handled by the regex blocks above.
    location ~ ^/(?<slice>[^/]+)/ {
        try_files $uri $uri/ /$slice/index.html;
    }

    # Hide hidden files (e.g. .htpasswd if it ever ends up in webroot)
    location ~ /\. {
        deny all;
    }
}

# HTTP → HTTPS redirect — swag's default server already covers this for
# wildcard subdomains, but include explicitly here in case the default is
# customised.
server {
    listen 80;
    listen [::]:80;
    server_name parsons.*;
    return 301 https://$host$request_uri;
}