# nginx-proxy

The single web ingress. Reverse-proxies HTTPS UIs and stream-proxies MQTT-TLS.

- **Networks**: `edge` (the only port-publisher) + `app` (talks to upstream services)
- **Host ports**: `tcp/80`, `tcp/443`, `tcp/8883`
- **Config**:
  - `config/nginx.conf` — base
  - `config/conf.d/*.conf` — HTTP vhosts (one per upstream UI)
  - `config/stream.d/mqtt.conf` — MQTT-TLS stream block, SNI route to mqtt broker
  - `config/certs/` — TLS certs (volume-mounted from cert manager)
- **TODO**: pick SSL strategy (acme-companion sidecar vs certbot vs internal PKI), write vhost templates per upstream