# nginx vhost overrides for nibiru-framework.com

These files are picked up by **jwilder/nginx-proxy** when mounted into the
proxy container at `/etc/nginx/vhost.d/`. They hold per-vhost hardening
and cache rules for the docs site (apex + www).

## What's here

- `vhost.d/nibiru-framework.com_location` — apex domain rules
- `vhost.d/www.nibiru-framework.com_location` — www variant (identical rules)

Both files contain the same hardening (security headers, gzip, caching for
hashed Astro assets, no-cache for the service worker, …). They are kept
separate so adding a www → apex redirect later is a one-file change.

## Wiring into an existing nginx-proxy

The proxy container needs to read `/etc/nginx/vhost.d/`. Two common patterns:

### 1. Bind-mount a directory on the host

If your nginx-proxy is started with something like:

```yaml
volumes:
  - /srv/nginx-proxy/vhost.d:/etc/nginx/vhost.d:ro
```

then copy these files into that directory on the host:

```sh
sudo install -d /srv/nginx-proxy/vhost.d
sudo cp docs/nginx/vhost.d/* /srv/nginx-proxy/vhost.d/
sudo docker exec nginx-proxy nginx -s reload
```

Repeat the `cp` + reload after every change.

### 2. Bake them into the proxy image

If you build your own nginx-proxy image, `COPY docs/nginx/vhost.d/* /etc/nginx/vhost.d/`
in its Dockerfile. Then `docker compose up -d --build` on the proxy.

## Verifying

Once mounted and reloaded:

```sh
docker exec nginx-proxy nginx -T \
  | grep -A5 "server_name nibiru-framework.com"
```

You should see the proxy_buffering off, gzip, and security-header lines
from this directory inlined into the generated server block.

## Why two containers (and not one with a comma-separated VIRTUAL_HOST)

The acme-companion on this host does not handle comma-separated values in
`VIRTUAL_HOST` / `LETSENCRYPT_HOST` reliably — cert issuance fails. The fix
is to run one docs container per hostname (see `docker-compose.yml`).