limit_req_zone $binary_remote_addr zone=tenpersec:10m rate=100r/s;

# first we declare our upstream server, which is our Gunicorn application
upstream robosats_gunicorn_rest {
    # docker will automatically resolve this to the correct address
    # because we use the same name as the service: "robosats"
    server localhost:8000;
    
}

upstream robosats_daphne_websocket {
    # docker will automatically resolve this to the correct address
    # because we use the same name as the service: "robosats"
    server localhost:9000;
}

# Define a variable for allowed IPs
geo $allowed_localIP {
    default 0;
    192.168.0.0/16 1;  # Allows access for IPs in the range 192.168.0.0/16 (192.168.0.0 ~ 192.168.255.255)
    #192.168.x.x 1; # or use your local IP for more security and remove the above line
}

map $host $allowed_onion {
    default 0;
    "~*your-robotest-admin-onion-address\.onion" 1;  # Allows access for your coordinator onion address
}

# now we declare our main server
server {

    listen 80;
    server_name robosats.com;
    large_client_header_buffers 4 64k;

    location /static {
        alias /usr/src/static;
    }
    
    # Tor to web providers (identification files)
    location /.well-known {
        alias /usr/src/.well-known;
    }

    location / {
        # requests are passed to Gunicorn
        proxy_pass http://robosats_gunicorn_rest;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;
        # Replace with the onion hidden service of your coordinator
        add_header Onion-Location http://robosats6tkf3eva7x2voqso3a5wcorsnw34jveyxfqi2fu7oyheasid.onion$request_uri;
        limit_req zone=tenpersec burst=10;
    }

    location /coordinator {
        # Denies any access by default
        set $allow_access 0;

        if ($allowed_localIP = 1) {
            set $allow_access 1; # Allows access for local IPs
        }
        if ($allowed_onion = 1) {
            set $allow_access 1; # Allows access for your coordinator onion address
        }

        if ($allow_access = 0){
            return 403; # Access is forbidden if none of the above conditions are met.
        }

        proxy_pass http://robosats_gunicorn_rest;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;
        # Replace with the onion hidden service of your coordinator
        add_header Onion-Location https://robosats6tkf3eva7x2voqso3a5wcorsnw34jveyxfqi2fu7oyheasid.onion$request_uri;

    }
    
    location /ws/ {
	# websockets are passed to Daphne
        proxy_pass http://robosats_daphne_websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        limit_req zone=tenpersec burst=10;
    }

    location /nostr {
        proxy_pass http://127.0.0.1:7777;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
    }

    location /relay {
        proxy_pass http://127.0.0.1:7778;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
    }

    location = /favicon.ico { access_log off; log_not_found off; }

}