server {
    server_name YOUR_DOMAIN;

    # Internal upstream for Gitea webhook (post-HMAC verification)
    location /hooks/gitea-upstream {
        internal;
        proxy_pass http://127.0.0.1:YOUR_OPENCLAW_PORT/hooks/gitea;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Authorization "Bearer YOUR_OPENCLAW_GATEWAY_TOKEN";
        proxy_set_header X-Gitea-Event $http_x_gitea_event;
        proxy_set_header X-Gitea-Delivery $http_x_gitea_delivery;
        proxy_set_header X-Gitea-Signature $http_x_gitea_signature;
        proxy_buffering off;
        proxy_connect_timeout 10s;
        proxy_send_timeout 30s;
        proxy_read_timeout 30s;
        proxy_pass_request_body on;
    }

    # Other hooks pass through directly
    location /hooks/ {
        proxy_pass http://127.0.0.1:YOUR_OPENCLAW_PORT/hooks/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        proxy_connect_timeout 10s;
        proxy_send_timeout 30s;
        proxy_read_timeout 30s;
        client_max_body_size 1m;
    }

    # Gitea webhook - HMAC-SHA256 verified by njs before proxying
    # Security layers: IP allowlist -> rate limit -> HMAC verify -> repo allowlist -> proxy
    location = /hooks/gitea {
        # Layer 1: IP allowlisting - only allow the Gitea server IP
        # Find your Gitea IP with: dig +short YOUR_GITEA_DOMAIN
        allow YOUR_GITEA_SERVER_IP;   # YOUR_GITEA_DOMAIN
        allow 127.0.0.1;              # localhost (for testing)
        allow ::1;                    # IPv6 localhost
        deny all;

        # Layer 2: Rate limiting
        limit_req zone=gitea_webhook burst=20 nodelay;

        # Layer 3: Payload size limit
        client_body_buffer_size 1m;
        client_max_body_size 1m;

        # Layer 4+5: HMAC verification + repo allowlist (njs)
        js_content gitea_hmac.verifyAndProxy;
    }

    # Main application (adjust to your backend)
    location / {
        proxy_pass http://127.0.0.1:YOUR_APP_PORT;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Frame-Options SAMEORIGIN;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        client_max_body_size 50M;
    }

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
    if ($host = YOUR_DOMAIN) {
        return 301 https://$host$request_uri;
    }

    server_name YOUR_DOMAIN;
    listen 80;
    return 404;
}