# NGINX configuration for certctl test environment.
# The agent deploys certificates to /etc/nginx/certs/ and reloads NGINX.
# On startup, NGINX uses a self-signed placeholder so it can boot before any cert is deployed.

# Generate a self-signed placeholder on container start (see entrypoint in compose).
# Once the agent deploys a real cert, it overwrites these files and reloads.

events {
    worker_connections 1024;
}

http {
    # HTTP → redirect to HTTPS (optional, for realism)
    server {
        listen 80;
        server_name _;
        return 301 https://$host$request_uri;
    }

    # HTTPS server — serves whatever cert the agent has deployed
    server {
        listen 443 ssl;
        server_name _;

        ssl_certificate     /etc/nginx/certs/cert.pem;
        ssl_certificate_key /etc/nginx/certs/key.pem;

        # Modern TLS settings
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        location / {
            default_type text/plain;
            return 200 'certctl test environment — NGINX is serving TLS\n';
        }

        location /health {
            default_type text/plain;
            return 200 'ok\n';
        }
    }
}