{{- $config := ds "config" }}
{{- $defauls := data.YAML "{hostnames: [localhost], repo_mode: false, upstream_use_tls: false, proxy_ssl_protocols: TLSv1.2 TLSv1.3, proxy_hide_header: [X-Amz-*]}" -}}

{{- range $config }}
{{- $this := coll.Merge . $defauls }}
{{- $upstream_host := index ($this.upstream | strings.Split ":") 0 }}
{{- $upstream_use_tls := $this.upstream_use_tls | conv.ToBool }}
{{- $access_key_id_file := index $this "access_key_id_file" }}
{{- $secret_access_key_file := index $this "secret_access_key_file" -}}

upstream backend_s3_{{ $this.bucket }} {
    server {{ $this.upstream }};
}

server {
    listen 8080;
    server_name {{ conv.Join $this.hostnames " " }};

    location / {
        {{ if and $access_key_id_file $secret_access_key_file -}}
        set_by_lua $now "return ngx.http_time(ngx.time())";
        set_by_lua_block $access_key_id {
            local f, err = io.open('{{ $access_key_id_file }}', 'r')
            local content
            if f == nil then
                ngx.log(ngx.STDERR, err)
            else
                content = string.gsub(f:read("*all"), "%s", "")
                f:close()
            end
            return content
        }
        set_by_lua_block $secret_access_key {
            local f, err = io.open('{{ $secret_access_key_file }}', 'r')
            local content
            if f == nil then
                ngx.log(ngx.STDERR, err)
            else
                content = string.gsub(f:read("*all"), "%s", "")
                f:close()
            end
            return content
        }
        set $string_to_sign "GET\n\n\n${now}\n/{{ $this.bucket }}{{ if $this.repo_mode | conv.ToBool }}/${repo}{{ end }}$request_path";
        set_hmac_sha1 $aws_signature "$secret_access_key" "$string_to_sign";
        set_encode_base64 $aws_signature "$aws_signature";

        proxy_set_header Date "$now";
        proxy_set_header Authorization "AWS $access_key_id:$aws_signature";

        {{ end -}}

        {{- if $this.upstream_use_tls }}
        proxy_pass https://backend_s3_{{ $this.bucket }}/{{ $this.bucket }}{{ if $this.repo_mode | conv.ToBool }}/${repo}{{ end }}$uri;
        proxy_ssl_name {{ $upstream_host }};
        proxy_ssl_server_name on;
        proxy_ssl_verify on;
        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
        proxy_ssl_protocols {{ $this.proxy_ssl_protocols }};
        {{- else }}
        proxy_pass http://backend_s3_{{ $this.bucket }}/{{ $this.bucket }}{{ if $this.repo_mode | conv.ToBool }}/${repo}{{ end }}$uri;
        {{- end }}

        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_connect_timeout 300;
        proxy_intercept_errors on;
        absolute_redirect off;

        {{ if $this.upstream_use_tls -}}
        proxy_set_header Host "{{ $upstream_host }}";
        {{- else }}
        proxy_set_header Host $host;
        {{- end }}
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        {{- with $this.proxy_hide_header }}
        {{ range $this.proxy_hide_header }}
        more_clear_headers {{ . }};
        {{- end }}
        {{- end }}

        proxy_ignore_headers Set-Cookie;

        rewrite ^([^.]*[^/])$ $1/ permanent;
        rewrite ^(.*)/$ $1/index.html break;
        rewrite ^(.*/[^./]+)$ $1/index.html break;
    }
}
{{- end -}}