# Infrastructure - Nginx Schema
# Defines type-safe Nginx configuration generation
# Validates upstreams, locations, rate limiting, and TLS settings

{
  # Upstream server configuration
  UpstreamServer = {
    address | String,
    weight | Number | default = 1,
    max_fails | Number | default = 3,
    fail_timeout | String | default = "10s",
  },

  # Upstream pool definition
  Upstream = {
    name | String,
    servers | Array UpstreamServer,
    keepalive | Number | default = 32,
    least_conn | Bool | default = false,
  },

  # Rate limiting zone
  RateLimitZone = {
    name | String,
    key | String,
    size | String | default = "10m",
    rate | String,
  },

  # TLS/SSL configuration
  TLSConfig = {
    enabled | Bool | default = false,
    cert_path | String | optional,
    key_path | String | optional,
    protocols | Array String | default = ["TLSv1.2", "TLSv1.3"],
    ciphers | String | default = "HIGH:!aNULL:!MD5",
  },

  # Security headers
  SecurityHeaders = {
    strict_transport_security | String | optional,
    content_security_policy | String | optional,
    x_frame_options | String | optional,
    x_content_type_options | String | optional,
  },

  # Location block configuration
  Location = {
    path | String,
    proxy_pass | String | optional,
    proxy_set_header | {_ | String} | default = {},
    rate_limit | String | optional,
    auth | {
      enabled | Bool | default = false,
      user_file | String | optional,
    } | default = {enabled = false},
    cors | {
      enabled | Bool | default = false,
      allowed_origins | Array String | optional,
      allowed_methods | Array String | optional,
    } | default = {enabled = false},
    rewrite | {
      pattern | String | optional,
      replacement | String | optional,
      flags | String | optional,
    } | default = {},
  },

  # Server block configuration
  ServerBlock = {
    listen_port | Number | default = 80,
    server_names | Array String,
    tls | TLSConfig | default = {enabled = false},
    security_headers | SecurityHeaders | default = {},
    client_max_body_size | String | default = "1m",
    proxy_read_timeout | String | default = "60s",
    proxy_connect_timeout | String | default = "60s",
    gzip_enabled | Bool | default = true,
    locations | Array Location,
    rate_limit_zone | String | optional,
  },

  # Nginx configuration
  NginxConfig = {
    user | String | default = "nginx",
    worker_processes | Number | default = 4,
    worker_connections | Number | default = 1024,
    keepalive_timeout | String | default = "65s",
    sendfile | Bool | default = true,
    tcp_nopush | Bool | default = true,
    tcp_nodelay | Bool | default = true,
    types_hash_max_size | Number | default = 2048,
    client_max_body_size | String | default = "20m",
    upstreams | Array Upstream,
    rate_limit_zones | Array RateLimitZone | default = [],
    servers | Array ServerBlock,
  },

  # Platform service presets
  platformServicePresets = {
    orchestrator = {
      name = "orchestrator",
      listen_port = 8080,
      rate_limit = "10r/s",
    },
    control_center = {
      name = "control-center",
      listen_port = 8081,
      rate_limit = "5r/s",
    },
    extension_registry = {
      name = "extension-registry",
      listen_port = 8082,
      rate_limit = "20r/s",
    },
    api_server = {
      name = "api-server",
      listen_port = 8083,
      rate_limit = "100r/s",
    },
    mcp_server = {
      name = "mcp-server",
      listen_port = 8084,
      rate_limit = "50r/s",
    },
  },

  # Solo mode preset
  soloNginxPreset = {
    user = "nginx",
    worker_processes = 1,
    worker_connections = 512,
    upstreams = [
      {
        name = "orchestrator",
        servers = [{address = "127.0.0.1:8080"}],
      },
      {
        name = "control-center",
        servers = [{address = "127.0.0.1:8081"}],
      },
    ],
    rate_limit_zones = [
      {
        name = "api_limit",
        key = "$binary_remote_addr",
        rate = "10r/s",
      },
    ],
    servers = [
      {
        listen_port = 80,
        server_names = ["localhost", "127.0.0.1"],
        locations = [
          {
            path = "/api/orchestrator",
            proxy_pass = "http://orchestrator",
            rate_limit = "10r/s",
          },
          {
            path = "/api/control-center",
            proxy_pass = "http://control-center",
            rate_limit = "5r/s",
          },
        ],
      },
    ],
  },

  # Enterprise mode preset
  enterpriseNginxPreset = {
    user = "nginx",
    worker_processes = 8,
    worker_connections = 2048,
    client_max_body_size = "100m",
    upstreams = [
      {
        name = "orchestrator",
        servers = [
          {address = "orchestrator-1:8080", weight = 1},
          {address = "orchestrator-2:8080", weight = 1},
          {address = "orchestrator-3:8080", weight = 1},
        ],
        least_conn = true,
      },
      {
        name = "control_center",
        servers = [
          {address = "control-center-1:8081", weight = 1},
          {address = "control-center-2:8081", weight = 1},
        ],
      },
    ],
    rate_limit_zones = [
      {
        name = "api_limit",
        key = "$binary_remote_addr",
        rate = "100r/s",
        size = "50m",
      },
      {
        name = "login_limit",
        key = "$binary_remote_addr",
        rate = "5r/m",
        size = "10m",
      },
    ],
    servers = [
      {
        listen_port = 80,
        server_names = ["api.example.com"],
        tls = {
          enabled = true,
          cert_path = "/etc/nginx/certs/api.crt",
          key_path = "/etc/nginx/certs/api.key",
          protocols = ["TLSv1.2", "TLSv1.3"],
        },
        security_headers = {
          strict_transport_security = "max-age=31536000; includeSubDomains",
          content_security_policy = "default-src 'self'",
          x_frame_options = "DENY",
        },
        locations = [
          {
            path = "/api/",
            proxy_pass = "http://orchestrator",
            rate_limit = "100r/s",
          },
        ],
      },
    ],
  },
}