server {
    listen 80;
    listen [::]:80;

    server_name orchestrator.yourdomain.com;

    # Allow Certbot challenges
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/certbot;   # Use your existing certbot webroot
        allow all;
    }

    # Everything else goes to the orchestrator backend (HTTP only for now)
    location / {
        proxy_pass http://127.0.0.1:8100;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}