# Bookstore storefront — nginx serving static files as a non-root user.
#
# Runs unprivileged: listens on :8080 and keeps all temp/runtime paths under
# /tmp so a read-only root filesystem + USER nonroot works in Kubernetes.
#
# The /api/ proxy is intentionally COMMENTED OUT: the upstream Service names
# differ per environment (e.g. catalog.bookstore.svc.cluster.local). Chapters
# that introduce Services/Ingress either uncomment and set the upstreams here
# (via a ConfigMap) or, more commonly, route /api at the Ingress layer.

worker_processes auto;
pid /tmp/nginx.pid;
error_log /dev/stderr warn;

events { worker_connections 1024; }

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    access_log    /dev/stdout;
    sendfile      on;

    # Writable paths for an unprivileged / read-only-rootfs container.
    client_body_temp_path /tmp/client_body;
    proxy_temp_path       /tmp/proxy;
    fastcgi_temp_path     /tmp/fastcgi;
    uwsgi_temp_path       /tmp/uwsgi;
    scgi_temp_path        /tmp/scgi;

    server {
        listen 8080;
        server_name _;
        root /usr/share/nginx/html;
        index index.html;

        location / {
            try_files $uri $uri/ /index.html;
        }

        location = /healthz {
            access_log off;
            add_header Content-Type application/json;
            return 200 '{"status":"ok"}';
        }

        # --- Enable per environment (point at the real Service DNS names) ---
        # location /api/books {
        #     proxy_set_header Host $host;
        #     proxy_pass http://catalog.bookstore.svc.cluster.local:8080/books;
        # }
        # location /api/orders {
        #     proxy_set_header Host $host;
        #     proxy_pass http://orders.bookstore.svc.cluster.local:8080/orders;
        # }
    }
}