server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;

    # Redirect HTTP → HTTPS (uncomment after certbot)
    # return 301 https://$host$request_uri;

    root /var/www/profit-tracker/public;
    index index.php;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";

    # Block access to sensitive directories
    location ~* ^/(config|app|database|cron|storage)/ {
        deny all;
        return 403;
    }

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
    }

    location ~* \.(css|js|png|jpg|ico|svg)$ {
        expires 30d;
        add_header Cache-Control "public, immutable";
    }

    location ~ /\.ht { deny all; }
}

# HTTPS block (enable after: certbot --nginx -d yourdomain.com)
# server {
#     listen 443 ssl http2;
#     server_name yourdomain.com;
#     ssl_certificate     /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
#     ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
#     include /etc/letsencrypt/options-ssl-nginx.conf;
#     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
#     root /var/www/profit-tracker/public;
#     index index.php;
#     location / { try_files $uri $uri/ /index.php?$query_string; }
#     location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/run/php/php8.2-fpm.sock; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; }
# }