Fix lemande container

Services/lemonade/lemonade.nginx

@@ -0,0 +1,114 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+server {
+    listen 80;
+    server_name models.badstorm.xyz;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name models.badstorm.xyz;
+    charset utf-8;
+    keepalive_timeout 0;
+
+    # SSL
+    ssl_certificate /etc/nginx/ssl/live/ai.duckpage.net/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/ai.duckpage.net/privkey.pem;
+
+    # Improve HTTPS performance with session resumption
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # SSL Protocols and Ciphers
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+    ssl_ecdh_curve secp521r1:secp384r1;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Xss-Protection "1; mode=block" always;
+
+    # OCSP Stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/nginx/ssl/live/ai.duckpage.net/fullchain.pem;
+    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
+    resolver_timeout 5s;
+
+    client_max_body_size 512M;
+    client_body_buffer_size 128k;
+
+    # Gzip
+    gzip on;
+    gzip_types text/plain text/xml text/css application/xhtml+xml application/xml image/svg+xml application/rss+xml application/atom_xml application/javascript application/x-javascript application/x-httpd-php application/x-httpd-fastphp application/x-httpd-eruby;
+
+    # ==============================
+    # Proxy per LLM /api/v1 (Copilot)
+    # ==============================
+    location /api/v1 {
+        proxy_http_version 1.1;
+
+        # WebSocket + SSE Support
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        # ESSENZIALI per LLM (streaming)
+        proxy_buffering off;
+        proxy_request_buffering off;
+        proxy_cache off;
+
+        # Timeouts alti perché Copilot mantiene le connessioni aperte
+        proxy_connect_timeout 3600;
+        proxy_send_timeout 3600;
+        proxy_read_timeout 3600;
+        send_timeout 3600;
+
+        # Header classici
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_pass http://lemonade:8000/api/v1;
+    }
+
+    # ==============================
+    # Proxy main UI / altri endpoint
+    # ==============================
+    location / {
+        proxy_http_version 1.1;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        # Se anche qui hai streaming, puoi tenere questi:
+        proxy_buffering off;
+        proxy_request_buffering off;
+        proxy_cache off;
+
+        proxy_connect_timeout 600;
+        proxy_send_timeout 600;
+        proxy_read_timeout 600;
+        send_timeout 600;
+
+        proxy_redirect off;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_pass http://lemonade:8000;
+    }
+
+    location ~ /\.ht {
+        deny all;
+    }
+}