Fix cloud-init: escape heredoc vars, add contact-api snippet, fix CORS

- Escape $uri/$host in heredocs so nginx sees them, not bash
- Rename heredoc markers (NGINXEOF, PROXYEOF, SVCEOF) to avoid conflicts
- Add contact-api nginx snippet WITHOUT proxy_set_header Origin (CORS fix)
- Fix contact-api clone URL to Forgejo
- Simplify .env template

terraform/cloud-init.yaml.tpl

@@ -26,7 +26,7 @@ mkdir -p /var/www/${project_name}/js
 DOMAIN=${domain}
 
 # Set up nginx configuration
-cat << 'EOF' > /etc/nginx/sites-available/${project_name}
+cat > /etc/nginx/sites-available/${project_name} << NGINXEOF
 server {
     root /var/www/${project_name};
     index index.html;
@@ -36,11 +36,11 @@ server {
         add_header Cache-Control "no-cache, no-store, must-revalidate";
         add_header Pragma "no-cache";
         add_header Expires "0";
-        try_files $uri $uri/ =404;
+        try_files \$uri \$uri/ =404;
     }
 
     location / {
-        try_files $uri $uri/ =404;
+        try_files \$uri \$uri/ =404;
     }
 
     add_header X-Frame-Options "SAMEORIGIN" always;
@@ -60,9 +60,9 @@ server {
     listen 80;
     listen [::]:80;
     server_name ${domain} www.${domain};
-    return 301 https://$host$request_uri;
+    return 301 https://\$host\$request_uri;
 }
-EOF
+NGINXEOF
 
 # Symlink nginx config
 ln -sf /etc/nginx/sites-available/${project_name} /etc/nginx/sites-enabled/${project_name}
@@ -70,8 +70,29 @@ ln -sf /etc/nginx/sites-available/${project_name} /etc/nginx/sites-enabled/${pro
 # Remove default nginx site
 rm -f /etc/nginx/sites-enabled/default
 
+# Set up nginx snippet for contact-api proxy (NO proxy_set_header Origin — breaks CORS)
+cat > /etc/nginx/snippets/contact-api.conf << 'PROXYEOF'
+location /api/contact {
+    proxy_pass http://127.0.0.1:3001;
+    proxy_http_version 1.1;
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+}
+
+location /api/health {
+    proxy_pass http://127.0.0.1:3001;
+    proxy_http_version 1.1;
+    proxy_set_header Host \$host;
+}
+PROXYEOF
+
+# Include the snippet in the main server block
+sed -i '/location \/ {/i\    include /etc/nginx/snippets/contact-api.conf;' /etc/nginx/sites-available/${project_name}
+
 # Set up contact-api service
-cat << 'EOF' > /etc/systemd/system/contact-api.service
+cat > /etc/systemd/system/contact-api.service << 'SVCEOF'
 [Unit]
 Description=Contact Form API - Email Backend
 After=network.target
@@ -85,24 +106,21 @@ ExecStart=/usr/bin/node src/index.js
 Restart=on-failure
 RestartSec=10
 
-# Environment
 EnvironmentFile=/opt/contact-api/.env
 
-# Security
 NoNewPrivileges=true
 PrivateTmp=true
 ProtectSystem=strict
 ProtectHome=true
 ReadWritePaths=/opt/contact-api
 
-# Logging
 StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=contact-api
 
 [Install]
 WantedBy=multi-user.target
-EOF
+SVCEOF
 
 # Start nginx
 systemctl restart nginx
@@ -111,22 +129,15 @@ systemctl restart nginx
 systemctl daemon-reload
 systemctl enable contact-api.service
 
-# Create .env file for contact-api
-cat << 'EOF' > /opt/contact-api/.env
-PORT=3001
-SMTP_HOST=smtp.example.com
-SMTP_PORT=587
-SMTP_USER=your-email@example.com
-SMTP_PASS=your-password
-FROM_EMAIL=noreply@krustyplanet.org
-FROM_NAME=KrustyPlanet
-EOF
-
-# Download contact-api source
+# Download contact-api source from Forgejo
 cd /opt/contact-api
-git clone https://codeberg.org/jez/contact-api.git .
-# Or download from URL if git repo doesn't exist
-# curl -L https://example.com/contact-api.tar.gz | tar -xzf -
+git clone ssh://git@git.jezzahehn.com:2222/KrustyPlanet/contact-api.git .
+chown -R www-data:www-data /opt/contact-api
+
+# .env will be created manually or via secrets management
+cat > /opt/contact-api/.env << 'ENVEOF'
+CONTACT_API_PORT=3001
+ENVEOF
 
 # Install dependencies
 npm install