---
apiVersion: v1
kind: ConfigMap
metadata:
  name: atst-nginx
  namespace: atat
data:
  atst.conf: |-
    server {
        access_log /var/log/nginx/access.log json;

        listen ${PORT_PREFIX}342;
        server_name ${MAIN_DOMAIN};
        root /usr/share/nginx/html;
        location /.well-known/acme-challenge/ {
          try_files $uri =404;
        }
        location / {
          return 301 https://$host$request_uri;
        }
    }
    server {
        access_log /var/log/nginx/access.log json;

        listen ${PORT_PREFIX}343;
        server_name ${AUTH_DOMAIN};
        root /usr/share/nginx/html;
        location /.well-known/acme-challenge/ {
          try_files $uri =404;
        }
        location / {
          return 301 https://$host$request_uri;
        }
    }
    server {
        access_log /var/log/nginx/access.log json;

        server_name ${MAIN_DOMAIN};
        # access_log /var/log/nginx/access.log json;
        listen ${PORT_PREFIX}442 ssl;
        listen [::]:${PORT_PREFIX}442 ssl ipv6only=on;
        ssl_certificate /etc/ssl/atat.crt;
        ssl_certificate_key /etc/ssl/atat.key;
        # additional SSL/TLS settings
        include /etc/nginx/snippets/ssl.conf;

        location /login-redirect {
            return 301 https://${AUTH_DOMAIN}$request_uri;
        }
        location /login-dev {
            try_files $uri @appbasicauth;
        }
        location / {
            try_files $uri @app;
        }
        location @app {
            include uwsgi_params;
            uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
            uwsgi_param HTTP_X_REQUEST_ID $request_id;
        }
        location @appbasicauth {
            include uwsgi_params;
            uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
            auth_basic "Developer Access";
            auth_basic_user_file /etc/nginx/.htpasswd;
            uwsgi_param HTTP_X_REQUEST_ID $request_id;
        }
    }
    server {
        access_log /var/log/nginx/access.log json;

        server_name ${AUTH_DOMAIN};
        listen ${PORT_PREFIX}443 ssl;
        listen [::]:${PORT_PREFIX}443 ssl ipv6only=on;
        ssl_certificate /etc/ssl/atat.crt;
        ssl_certificate_key /etc/ssl/atat.key;
        # Request and validate client certificate
        ssl_verify_client on;
        ssl_verify_depth 10;
        ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
        # additional SSL/TLS settings
        include /etc/nginx/snippets/ssl.conf;

        location / {
            return 301 https://${MAIN_DOMAIN}$request_uri;
        }
        location /login-redirect {
            try_files $uri @app;
        }
        location @app {
            include uwsgi_params;
            uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
            uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
            uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
            uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
            uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
            uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
            uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
            uwsgi_param HTTP_X_REQUEST_ID $request_id;
        }
    }
  00json_log.conf: |-
    log_format json escape=json
      '{'
        '"timestamp":"$time_iso8601",'
        '"msec":"$msec",'
        '"request_id":"$request_id",'
        '"remote_addr":"$remote_addr",'
        '"remote_user":"$remote_user",'
        '"request":"$request",'
        '"status":$status,'
        '"body_bytes_sent":$body_bytes_sent,'
        '"referer":"$http_referer",'
        '"user_agent":"$http_user_agent",'
        '"http_x_forwarded_for":"$http_x_forwarded_for"'
      '}';