# ───────────────────────────────────────────────────────────────────────────────
# 1) MAP BLOCK: translate incoming “Upgrade” header into a proper Connection header
#    (necessary for WebSocket support)
# ───────────────────────────────────────────────────────────────────────────────
map $http_upgrade $connection_upgrade {
    default   upgrade;   # if client asks to “Upgrade” (e.g. WebSocket), keep it open
    ''        close;     # otherwise, Nginx will close the connection
}

# ───────────────────────────────────────────────────────────────────────────────
# 2) SERVER BLOCK: listen on port 8443 with SSL for Proxmox Proxy
# ───────────────────────────────────────────────────────────────────────────────
server {
    listen       8443 ssl;           # HTTPS port (you can change to 443 or another)
    server_name  192.168.86.87;      # your server’s hostname or IP address

    # ───────────────────────────────────────────────────────────────────────────
    # SSL SETTINGS: point to your certificate and private key
    # ───────────────────────────────────────────────────────────────────────────
    ssl_certificate     /etc/ssl/nginx/pve-proxy.crt;
    ssl_certificate_key /etc/ssl/nginx/pve-proxy.key;

    # ───────────────────────────────────────────────────────────────────────────
    # ALLOW LARGE UPLOADS: unlimited client body size for ISO uploads, etc.
    # ───────────────────────────────────────────────────────────────────────────
    client_max_body_size 0;

    # ───────────────────────────────────────────────────────────────────────────
    # SANITY CHECK: simple Lua that logs on every reload to confirm Lua’s working
    # ───────────────────────────────────────────────────────────────────────────
    access_by_lua_block {
      ngx.log(ngx.ERR, "[GPU] nginx+lua is alive")
    }

    # ───────────────────────────────────────────────────────────────────────────
    # LOCATION #1: catch Proxmox VM start/stop API calls (hook GPU script)
    # ───────────────────────────────────────────────────────────────────────────
    location ~ ^/api2/(?:json|extjs)/nodes/[^/]+/qemu/\d+/status/(?:start|stop|shutdown|reboot|reset)$ {
        access_by_lua_block {
            local uri    = ngx.var.request_uri
            local vmid   = uri:match("/qemu/(%d+)/status")
            local action = uri:match("/status/(%a+)$")
            local mode   = (action=="start") and "pre-start" or "post-stop"

            ngx.log(ngx.ERR, "[GPU] vm", vmid, "→ hooking ", action, " as ", mode)

            local cmd = "sudo /usr/local/share/pve-hook-scripts/gpu-autopick.sh "
                      .. vmid .. " " .. mode .. " 2>&1"

            local h   = io.popen(cmd)
            local out = h:read("*a")
            local ok, typ, st = h:close()

            ngx.log(ngx.ERR,
              "[GPU] cmd=", cmd,
              " ok=", tostring(ok),
              " type=", typ or "-",
              " stat=", tostring(st),
              " output=", out:gsub("\n","\\n"))
        }

        proxy_http_version 1.1;
        proxy_set_header  Upgrade             $http_upgrade;
        proxy_set_header  Connection          $connection_upgrade;
        proxy_set_header  Host                $host;
        proxy_set_header  X-Real-IP           $remote_addr;
        proxy_set_header  Authorization       $http_authorization;
        proxy_set_header  Cookie              $http_cookie;
        proxy_set_header  CSRFPreventionToken $http_csrfpreventiontoken;
        proxy_ssl_verify  off;

        proxy_connect_timeout 60s;
        proxy_send_timeout    60s;
        proxy_read_timeout    60s;

        proxy_pass https://127.0.0.1:8006;
    }

    # ───────────────────────────────────────────────────────────────────────────
    # LOCATION #2 (DEFAULT): UI, API, WebSockets, file uploads, etc.
    # ───────────────────────────────────────────────────────────────────────────
    location / {
        proxy_http_version 1.1;
        proxy_set_header  Upgrade             $http_upgrade;
        proxy_set_header  Connection          $connection_upgrade;
        proxy_set_header  Host                $host;
        proxy_set_header  X-Real-IP           $remote_addr;
        proxy_set_header  Authorization       $http_authorization;
        proxy_set_header  Cookie              $http_cookie;
        proxy_set_header  CSRFPreventionToken $http_csrfpreventiontoken;
        proxy_ssl_verify  off;

        # ───────────────────────────────────────────────────────────────────────
        # STREAM UPLOADS: don’t buffer the request body (ISO uploads, backups)
        # ───────────────────────────────────────────────────────────────────────
        proxy_request_buffering off;
        proxy_buffering         off;

        # long timeouts for slow uploads or web console
        proxy_connect_timeout  60s;
        proxy_send_timeout     3600s;
        proxy_read_timeout     3600s;

        proxy_pass https://127.0.0.1:8006;
    }

    # ───────────────────────────────────────────────────────────────────────────
    # LOGGING
    # ───────────────────────────────────────────────────────────────────────────
    access_log  /var/log/nginx/pve-proxy-access.log;
    error_log   /var/log/nginx/pve-proxy-error.log  debug;
}