---
# Nginx Proxy Role Default Variables

# Nginx Installation
nginx_version: "latest"
nginx_package: nginx
nginx_service: nginx
nginx_user: www-data
nginx_group: www-data

# SSL Configuration
ssl_provider: "{{ ssl_provider | default('letsencrypt') }}"
ssl_email: "{{ ssl_email }}"
ssl_certificate_path: "{{ ssl_certificate_path | default('/etc/letsencrypt/live/' + domain_name) }}"
ssl_protocols:
  - TLSv1.2
  - TLSv1.3
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ssl_prefer_server_ciphers: true
ssl_session_cache: "shared:SSL:10m"
ssl_session_timeout: "1d"
ssl_session_tickets: false
ssl_stapling: true
ssl_stapling_verify: true

# HSTS Configuration
hsts_enabled: true
hsts_max_age: 63072000  # 2 years
hsts_include_subdomains: true
hsts_preload: true

# Security Headers
security_headers:
  X-Frame-Options: "SAMEORIGIN"
  X-Content-Type-Options: "nosniff"
  X-XSS-Protection: "1; mode=block"
  Referrer-Policy: "strict-origin-when-cross-origin"
  Permissions-Policy: "geolocation=(), microphone=(), camera=()"
  Content-Security-Policy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'"

# Rate Limiting
rate_limiting_enabled: true
rate_limit_zone: "api"
rate_limit_requests: "10r/s"
rate_limit_burst: 20
rate_limit_nodelay: true

# Upstream Configuration
upstream_servers:
  - name: php-backend
    servers:
      - address: "127.0.0.1:9000"
        weight: 1
        max_fails: 3
        fail_timeout: 30s
    keepalive: 32
    keepalive_requests: 100
    keepalive_timeout: 60s

# Virtual Hosts
nginx_vhosts:
  - server_name: "{{ domain_name }}"
    listen: "443 ssl http2"
    root: "/var/www/html/public"
    index: "index.php index.html"
    ssl_certificate: "{{ ssl_certificate_path }}/fullchain.pem"
    ssl_certificate_key: "{{ ssl_certificate_path }}/privkey.pem"
    access_log: "/var/log/nginx/{{ domain_name }}-access.log main"
    error_log: "/var/log/nginx/{{ domain_name }}-error.log"
    extra_parameters: |
      # PHP-FPM Configuration
      location ~ \.php$ {
          try_files $uri =404;
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_pass php-backend;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          include fastcgi_params;
          fastcgi_param HTTPS on;
          fastcgi_param HTTP_SCHEME https;
      }
      
      # API Rate Limiting
      location /api/ {
          limit_req zone={{ rate_limit_zone }} burst={{ rate_limit_burst }}{{ ' nodelay' if rate_limit_nodelay else '' }};
          try_files $uri $uri/ /index.php$is_args$args;
      }
      
      # Static Assets
      location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
          expires 1y;
          add_header Cache-Control "public, immutable";
          access_log off;
      }
      
      # Security
      location ~ /\.ht {
          deny all;
      }
      
      location ~ /\. {
          deny all;
      }

# HTTP to HTTPS redirect
nginx_redirect_vhost:
  server_name: "{{ domain_name }}"
  listen: "80"
  return: "301 https://$server_name$request_uri"

# Global Nginx Configuration
nginx_worker_processes: "{{ nginx_worker_processes | default('auto') }}"
nginx_worker_connections: "{{ nginx_worker_connections | default(1024) }}"
nginx_multi_accept: true
nginx_sendfile: true
nginx_tcp_nopush: true
nginx_tcp_nodelay: true
nginx_keepalive_timeout: 65
nginx_keepalive_requests: 100
nginx_server_tokens: false
nginx_client_max_body_size: "100M"
nginx_client_body_timeout: 60
nginx_client_header_timeout: 60
nginx_send_timeout: 60

# Logging Configuration
nginx_access_log_format: |
  '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for" '
  '$request_time $upstream_response_time'

nginx_error_log_level: "{{ log_level | default('warn') }}"

# Gzip Configuration
nginx_gzip: true
nginx_gzip_vary: true
nginx_gzip_proxied: any
nginx_gzip_comp_level: 6
nginx_gzip_types:
  - text/plain
  - text/css
  - text/xml
  - text/javascript
  - application/javascript
  - application/json
  - application/xml+rss
  - application/atom+xml
  - image/svg+xml

# Cache Configuration
nginx_cache_enabled: true
nginx_cache_path: "/var/cache/nginx"
nginx_cache_levels: "1:2"
nginx_cache_keys_zone: "framework_cache:10m"
nginx_cache_max_size: "1g"
nginx_cache_inactive: "60m"
nginx_cache_use_temp_path: false

# Real IP Configuration
nginx_real_ip_header: "X-Forwarded-For"
nginx_set_real_ip_from:
  - "127.0.0.1"
  - "10.0.0.0/8"
  - "172.16.0.0/12"
  - "192.168.0.0/16"

# Let's Encrypt Configuration
letsencrypt_enabled: "{{ ssl_provider == 'letsencrypt' }}"
letsencrypt_email: "{{ ssl_email }}"
letsencrypt_domains:
  - "{{ domain_name }}"
letsencrypt_webroot_path: "/var/www/letsencrypt"
letsencrypt_renewal_cron: true
letsencrypt_renewal_user: root
letsencrypt_renewal_minute: "30"
letsencrypt_renewal_hour: "2"

# Monitoring and Status
nginx_status_enabled: "{{ monitoring_enabled | default(true) }}"
nginx_status_location: "/nginx_status"
nginx_status_allowed_ips:
  - "127.0.0.1"
  - "::1"