{{- if .Values.nginx.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "phpfpm.fullname" . }}-nginx-config
  labels:
    {{- include "phpfpm.labels" . | nindent 4 }}
data:
  default.conf: |
    {{- if or .Values.nginx.forwardRealIP.enabled (and .Values.nginx.customConfig.enabled .Values.nginx.customConfig.httpSnippet) }}
    # HTTP-level configuration
    {{- if .Values.nginx.forwardRealIP.enabled }}
    # Real IP forwarding configuration
    real_ip_header {{ .Values.nginx.forwardRealIP.header }};
    {{- if .Values.nginx.forwardRealIP.recursive }}
    real_ip_recursive on;
    {{- end }}
    
    # Trusted proxy networks
    {{- range .Values.nginx.forwardRealIP.trustedProxies }}
    set_real_ip_from {{ . }};
    {{- end }}
    {{- range .Values.nginx.forwardRealIP.additionalTrustedProxies }}
    set_real_ip_from {{ . }};
    {{- end }}
    {{- end }}
    
    {{- if and .Values.nginx.customConfig.enabled .Values.nginx.customConfig.httpSnippet }}
    # Custom HTTP-level configuration
    {{ .Values.nginx.customConfig.httpSnippet | nindent 4 }}
    {{- end }}
    {{- end }}
    
    server {
        listen 8080;
        server_name _;
        root /var/www/html;
        index index.php index.html;
        
        # Security headers
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        
        {{- if and .Values.nginx.customConfig.enabled .Values.nginx.customConfig.serverSnippet }}
        # Custom server-level configuration
        {{ .Values.nginx.customConfig.serverSnippet | nindent 8 }}
        {{- end }}
        
        # Health check endpoint
        location /health {
            access_log off;
            return 200 "healthy\n";
            add_header Content-Type text/plain;
        }
        
        # Default location block
        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }
        
        # PHP-FPM handler
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            
            {{- if .Values.nginx.forwardRealIP.enabled }}
            # Pass real IP information to PHP-FPM
            fastcgi_param REMOTE_ADDR $remote_addr;
            fastcgi_param HTTP_X_REAL_IP $realip_remote_addr;
            fastcgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
            {{- end }}
            
            # Standard FastCGI parameters
            fastcgi_param SERVER_NAME $host;
            fastcgi_param SERVER_PORT $server_port;
            fastcgi_param HTTPS $https if_not_empty;
        }
        
        # Deny access to hidden files
        location ~ /\. {
            deny all;
            access_log off;
            log_not_found off;
        }
    }
{{- end }}