user www-data;
worker_processes auto;
worker_rlimit_nofile 65536;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

error_log syslog:server=unix:/dev/log;

events {
  worker_connections 65536;
}

http {
  server {
    listen 0.0.0.0:1337;
    listen [::]:1337;

    location /healthz {
      return 200 "OK";
    }
  }
}

stream {
  # Map of Host -> IP
  # We will route the traffic to this endpoints.
  map $ssl_preread_server_name $selected_upstream {
    hostnames;

    # if not knonw, use some non existing response thingy :shrug:
    default               255.255.255.255:1;

    ## CLOUD
    proxmox.tjo.cloud            batuu.system.tjo.space:4443;
    postgresql.tjo.cloud         batuu.system.tjo.space:4443;
    monitor.tjo.cloud            nevaroo.system.tjo.space:4443;
    loki.monitor.tjo.cloud       nevaroo.system.tjo.space:4443;
    prometheus.monitor.tjo.cloud nevaroo.system.tjo.space:4443;
    grpc.otel.monitor.tjo.cloud  nevaroo.system.tjo.space:4443;
    http.otel.monitor.tjo.cloud  nevaroo.system.tjo.space:4443;
    vault.tjo.cloud              batuu.system.tjo.space:4443;

    ## HETZNER
    tjo.space                    nevaroo.system.tjo.space:4443;
    chat.tjo.space               nevaroo.system.tjo.space:4443;
    webhook.chat.tjo.space       nevaroo.system.tjo.space:4443;
    matrix.chat.tjo.space        nevaroo.system.tjo.space:4443;
    yt.tjo.space                 nevaroo.system.tjo.space:4443;
    search.tjo.space             nevaroo.system.tjo.space:4443;
    send.tjo.space               nevaroo.system.tjo.space:4443;

    ## BATUU
    cloud.tjo.space         batuu.system.tjo.space:4443;
    collabora.tjo.space     batuu.system.tjo.space:4443;
    code.tjo.space          batuu.system.tjo.space:4443;
    vault.tjo.space         batuu.system.tjo.space:4443;
    rss.tjo.space           batuu.system.tjo.space:4443;
    id.tjo.space            batuu.system.tjo.space:4443;
    ldap.id.tjo.space       batuu.system.tjo.space:4443;
    mnts.dev                batuu.system.tjo.space:4443;
    paperless.tjo.space     batuu.system.tjo.space:4443;
    penpot.tjo.space        batuu.system.tjo.space:4443;

    ## JAKKU
    books.tjo.space             jakku.system.tjo.space:4443;
    media.tjo.space             jakku.system.tjo.space:4443;
    next.media.tjo.space        jakku.system.tjo.space:4443;
    request.media.tjo.space     jakku.system.tjo.space:4443;
    tdarr.media.tjo.space       jakku.system.tjo.space:4443;
    stuff.tjo.space             jakku.system.tjo.space:4443;
    auth.media.tjo.space        jakku.system.tjo.space:4443;
    sonarr.media.tjo.space      jakku.system.tjo.space:4443;
    radarr.media.tjo.space      jakku.system.tjo.space:4443;
    lidarr.media.tjo.space      jakku.system.tjo.space:4443;
    prowlarr.media.tjo.space    jakku.system.tjo.space:4443;
    qbittorrent.media.tjo.space jakku.system.tjo.space:4443;
    bazarr.media.tjo.space      jakku.system.tjo.space:4443;
    readarr.media.tjo.space     jakku.system.tjo.space:4443;
  }

  geoip2 /var/geoip.mmdb {
    $geoip2_data_country_iso_code country iso_code;
    $geoip2_data_latitude         location latitude;
    $geoip2_data_longitude        location longitude;
  }

  log_format geoip_with_upstream 'country=$geoip2_data_country_iso_code '
                   'lat=$geoip2_data_latitude '
                   'long=$geoip2_data_longitude '
                   'ip=$remote_addr '
                   'protocol=$protocol '
                   'server_name=$ssl_preread_server_name '
                   'server_port=$server_port '
                   'upstream=$selected_upstream '
                   'status=$status '
                   'bytes_sent=$bytes_sent '
                   'bytes_received=$bytes_received '
                   'session_time=$session_time';

  log_format geoip 'country=$geoip2_data_country_iso_code '
                   'lat=$geoip2_data_latitude '
                   'long=$geoip2_data_longitude '
                   'ip=$remote_addr '
                   'protocol=$protocol '
                   'server_port=$server_port '
                   'status=$status '
                   'bytes_sent=$bytes_sent '
                   'bytes_received=$bytes_received '
                   'session_time=$session_time';

  # HTTPS
  server {
    access_log        syslog:server=unix:/dev/log geoip_with_upstream;
    listen            0.0.0.0:443;
    listen            [::]:443;
    proxy_pass        $selected_upstream;
    proxy_protocol    on;
    resolver          9.9.9.9 1.1.1.1 8.8.8.8 8.8.4.4;
    set_real_ip_from  0.0.0.0/0;
    ssl_preread       on;
    include           /etc/nginx/partials/blocked-bad-crawlers.conf;
    include           /etc/nginx/partials/blocked-manual.conf;
  }

  # GIT
  server {
    access_log        syslog:server=unix:/dev/log geoip;
    listen            0.0.0.0:22;
    listen            [::]:22;
    proxy_pass        batuu.system.tjo.space:2244;
    proxy_protocol    on;
    resolver          9.9.9.9 1.1.1.1 8.8.8.8 8.8.4.4;
    set_real_ip_from  0.0.0.0/0;
    include           /etc/nginx/partials/blocked-bad-crawlers.conf;
    include           /etc/nginx/partials/blocked-manual.conf;
  }

  # EMAIL
  server {
    access_log        syslog:server=unix:/dev/log geoip;
    listen            0.0.0.0:25;
    listen            [::]:25;
    listen            0.0.0.0:143;
    listen            [::]:143;
    listen            0.0.0.0:465;
    listen            [::]:465;
    listen            0.0.0.0:587;
    listen            [::]:587;
    listen            0.0.0.0:993;
    listen            [::]:993;
    listen            0.0.0.0:4190;
    listen            [::]:4190;
    proxy_pass        nevaroo.system.tjo.space:$server_port;
    proxy_protocol    on;
    resolver          9.9.9.9 1.1.1.1 8.8.8.8 8.8.4.4;
    set_real_ip_from  0.0.0.0/0;
  }
}