apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "phpmyadmin-nginx.fullname" . }}-nginx
  labels:
    {{- include "phpmyadmin-nginx.labels" . | nindent 4 }}
data:
  nginx.conf: |
    user  nginx;
    worker_processes  {{ .Values.nginx.config.workerProcesses }};
    
    error_log  /var/log/nginx/error.log warn;
    pid        /var/run/nginx.pid;
    
    events {
        worker_connections  {{ .Values.nginx.config.workerConnections }};
    }
    
    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;
    
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile        on;
        tcp_nopush      on;
        tcp_nodelay     on;
    
        keepalive_timeout  65;
        types_hash_max_size 2048;
        client_max_body_size {{ .Values.nginx.config.clientMaxBodySize }};
    
        gzip  on;
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_types text/plain text/css text/xml text/javascript 
                   application/json application/javascript application/xml+rss 
                   application/rss+xml font/truetype font/opentype 
                   application/vnd.ms-fontobject image/svg+xml;
    
        include /etc/nginx/conf.d/*.conf;
    }
  
  default.conf: |
    server {
        listen 8080;
        server_name _;
        
        root /var/www/html;
        index index.php index.html index.htm;
        
        charset utf-8;
        
        # Security headers
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Referrer-Policy "no-referrer-when-downgrade" always;
        
        # Disable access log for health checks
        location = /healthz {
            access_log off;
            return 200 "healthy\n";
            add_header Content-Type text/plain;
        }
        
        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }
        
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 16k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_read_timeout 600;
        }
        
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
            expires max;
            log_not_found off;
            access_log off;
        }
        
        location ~ /\.(?!well-known).* {
            deny all;
        }
    }