include /etc/nginx/modules-enabled/*.conf;

events {}

stream {
# TCP Load Balancing for the K3s API
  upstream k3s_servers {
    {% for ip in k3s_server_ips %}
    server {{ ip }}:{{k3s.loadbalancer.default_port}};
    {% endfor %}
  }

  server {
    listen {{k3s.loadbalancer.default_port}};
    proxy_pass k3s_servers;
  }

  upstream dns_servers {
    {% for ip in k3s_server_ips %}
    server {{ ip }}:53;
    {% endfor %}
  }

  server {
    listen 53 udp;
    proxy_pass dns_servers;
  }
}

http {
  upstream k3s_servers_http {
    least_conn;
    {% for ip in k3s_server_ips %}
    server {{ ip }}:80;
    {% endfor %}
  }

  upstream k3s_servers_https {
    least_conn;
    {% for ip in k3s_server_ips %}
    server {{ ip }}:443;
    {% endfor %}
  }

  server {
    listen 80;

    location / {
      proxy_pass http://k3s_servers_http;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto http;
    }
  }

  server {
    listen 443 ssl;

    server_name staging.k3s.seyshiro.de *.staging.k3s.seyshiro.de;

    ssl_certificate /etc/nginx/ssl/staging_tls.crt;
    ssl_certificate_key /etc/nginx/ssl/staging_tls.key;

    location / {
      proxy_pass https://k3s_servers_https;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
    }
  }

  server {
    listen 443 ssl;

    server_name k3s.seyshiro.de *.k3s.seyshiro.de;

    ssl_certificate /etc/nginx/ssl/production_tls.crt;
    ssl_certificate_key /etc/nginx/ssl/production_tls.key;

    location / {
      proxy_pass https://k3s_servers_https;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
    }
  }
}