From b50c46d5bdbb1bd5e06a96a66b0696c1145ff4a9 Mon Sep 17 00:00:00 2001
From: Tyler Hoang <tyler@tylerhoang.xyz>
Date: Tue, 19 May 2026 01:24:28 -0700
Subject: feat: add nginx config with /api/ proxy block for VPS deployment

Routes /api/ to the FastAPI backend (8001) so NEXT_PUBLIC_API_BASE_URL
can be set to the public domain instead of localhost.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 README.md                       |  1 +
 nginx/prism.tylerhoang.xyz.conf | 53 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 nginx/prism.tylerhoang.xyz.conf

diff --git a/README.md b/README.md
index d41c8d6..41ee1b4 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@ The implementation copies and adapts finance logic from Prism v1 into `backend/`
   - `types/api.ts` shared frontend response types
 - `scripts/stack.sh` unified start/stop/restart/status script
 - `systemd/` systemd unit files for running as a system service
+- `nginx/` nginx server block config (proxies `/api/` to backend, `/` to frontend)
 - `.env.example` optional environment variables
 - `pytest.ini` backend pytest import path config
 
diff --git a/nginx/prism.tylerhoang.xyz.conf b/nginx/prism.tylerhoang.xyz.conf
new file mode 100644
index 0000000..c19183d
--- /dev/null
+++ b/nginx/prism.tylerhoang.xyz.conf
@@ -0,0 +1,53 @@
+server {
+    server_name prism.tylerhoang.xyz;
+
+    access_log /var/log/nginx/prism.tylerhoang.xyz.access.log;
+    error_log  /var/log/nginx/prism.tylerhoang.xyz.error.log;
+
+    location /api/ {
+        proxy_pass http://127.0.0.1:8001/api/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:3001;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_read_timeout 86400;
+        proxy_send_timeout 86400;
+        proxy_buffering off;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    listen [::]:443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/prism.tylerhoang.xyz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/prism.tylerhoang.xyz/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    if ($host = prism.tylerhoang.xyz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    server_name prism.tylerhoang.xyz;
+
+    listen [::]:80;
+    listen 80;
+    return 404; # managed by Certbot
+}
-- 
cgit v1.3-2-g0d8e