# Provisioning Platform - Main Configuration

server {
    listen 80;
    server_name ${EXTERNAL_DOMAIN:-provisioning.local};

    # Redirect to HTTPS if enabled
    if ($http_x_forwarded_proto != 'https') {
        # Uncomment for HTTPS redirect
        # return 301 https://$server_name$request_uri;
    }

    # Rate limiting
    limit_req zone=api_limit burst=20 nodelay;
    limit_conn conn_limit 10;

    # Root location - Control Center
    location / {
        proxy_pass http://control_center;
        include /etc/nginx/conf.d/proxy_params.conf;
    }

    # Orchestrator API
    location /api/orchestrator/ {
        rewrite ^/api/orchestrator/(.*) /$1 break;
        proxy_pass http://orchestrator;
        include /etc/nginx/conf.d/proxy_params.conf;

        # API rate limiting
        limit_req zone=api_limit burst=50 nodelay;
    }

    # Control Center API
    location /api/control/ {
        rewrite ^/api/control/(.*) /$1 break;
        proxy_pass http://control_center;
        include /etc/nginx/conf.d/proxy_params.conf;
    }

    # Provisioning API Server
    location /api/ {
        proxy_pass http://api_server;
        include /etc/nginx/conf.d/proxy_params.conf;

        # API rate limiting
        limit_req zone=api_limit burst=50 nodelay;
    }

    # OCI Registry
    location /v2/ {
        proxy_pass http://oci_registry;
        include /etc/nginx/conf.d/proxy_params.conf;

        # Disable request buffering for large image pushes
        proxy_request_buffering off;
        client_max_body_size 0;

        # OCI registry specific headers
        proxy_set_header Docker-Distribution-Api-Version registry/2.0;
    }

    # Extension Registry
    location /extensions/ {
        rewrite ^/extensions/(.*) /api/v1/$1 break;
        proxy_pass http://extension_registry;
        include /etc/nginx/conf.d/proxy_params.conf;
    }

    # Gitea
    location /git/ {
        rewrite ^/git/(.*) /$1 break;
        proxy_pass http://gitea;
        include /etc/nginx/conf.d/proxy_params.conf;

        # Gitea-specific settings
        client_max_body_size 512M;
    }

    # Grafana
    location /grafana/ {
        rewrite ^/grafana/(.*) /$1 break;
        proxy_pass http://grafana;
        include /etc/nginx/conf.d/proxy_params.conf;

        # Grafana WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # Metrics endpoint (restricted)
    location /metrics {
        # Allow only from internal networks
        allow 172.20.0.0/16;
        allow 127.0.0.1;
        deny all;

        proxy_pass http://orchestrator/metrics;
        include /etc/nginx/conf.d/proxy_params.conf;
    }

    # Deny access to hidden files
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
}

# HTTPS configuration (when TLS is enabled)
server {
    listen 443 ssl http2;
    server_name ${EXTERNAL_DOMAIN:-provisioning.local};

    # TLS certificates
    ssl_certificate ${TLS_CERT_PATH:-/etc/nginx/ssl/provisioning.crt};
    ssl_certificate_key ${TLS_KEY_PATH:-/etc/nginx/ssl/provisioning.key};

    # TLS configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # HSTS header
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Same locations as HTTP server
    include /etc/nginx/conf.d/provisioning_locations.conf;
}