# nginx/conf/nginx.conf
events {
    worker_connections 1024;
}

http {
    server {
        listen 443 ssl;
        server_name macbook-pro.tailscale-name.ts.net;
        
        ssl_certificate /etc/ssl/tailscale-cert.crt;
        ssl_certificate_key /etc/ssl/tailscale-key.key;
        
        location / {
            # FIXED: Use container hostname instead of localhost
            proxy_pass https://vault:8200;
            
            # Trust Vault's self-signed certificate
            proxy_ssl_certificate /etc/vault-certs/vault.crt;
            proxy_ssl_certificate_key /etc/vault-certs/vault.key;
            proxy_ssl_verify off;  # Since you're using mkcert cert
            
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # Important for WebSocket connections (Vault UI)
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }
    
    # Optional: HTTP to HTTPS redirect
    server {
        listen 80;
        server_name macbook-pro.tailscale-name.ts.net;
        return 301 https://$server_name$request_uri;
    }
}