# =============================================================================
# WOOO TECH - Monitor Dashboard
# Nginx 配置 - UAT Server (192.168.0.110)
# 所有監控工具統一入口
# 2026-02-08 整理版本 - 移除 Harbor，其他服務保留
# =============================================================================

# 上游服務定義
upstream grafana_backend {
    server 127.0.0.1:3000;
}

upstream prometheus_backend {
    # K8s Prometheus ClusterIP
    server 10.43.25.78:9090;
}

upstream alertmanager_backend {
    # K8s Alertmanager ClusterIP
    server 10.43.79.187:9093;
}

upstream portainer_backend {
    server 127.0.0.1:9000;
}

upstream n8n_backend {
    server 10.43.193.218:5678;
}

upstream superset_backend {
    server 127.0.0.1:8088;
}

upstream gitlab_backend {
    server 127.0.0.1:8929;
}

upstream nextcloud_backend {
    server 127.0.0.1:8081;
}

upstream loki_backend {
    server 127.0.0.1:3100;
}

upstream metabase_backend {
    server 127.0.0.1:3001;
}

upstream grist_backend {
    server 127.0.0.1:8484;
}

upstream cadvisor_backend {
    server 127.0.0.1:8080;
}

upstream blackbox_backend {
    server 127.0.0.1:9115;
}

upstream node_exporter_backend {
    server 127.0.0.1:9100;
}

upstream postgres_exporter_backend {
    server 127.0.0.1:9187;
}

# K8s Grafana (NodePort)
upstream k8s_grafana_backend {
    server 127.0.0.1:30030;
}

# Docker Registry (HTTPS 通過 Nginx 代理)
upstream registry_backend {
    server 127.0.0.1:5002;
}

# =============================================================================
# monitor.wooo.work - 監控入口 (HTTP -> HTTPS 重定向)
# =============================================================================
server {
    listen 80;
    server_name monitor.wooo.work;

    # HSTS - 強制 HTTPS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
    return 301 https://$server_name$request_uri;
}

# =============================================================================
# monitor.wooo.work - 監控入口 (HTTPS)
# =============================================================================
server {
    listen 443 ssl http2;
    server_name monitor.wooo.work;

    # HSTS - 強制 HTTPS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

    # SSL 證書
    ssl_certificate /etc/letsencrypt/live/monitor.wooo.work/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/monitor.wooo.work/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # 監控首頁 (靜態頁面)
    root /var/www/monitor;
    index index.html;

    # 首頁
    # API 代理 - 轉發到 MOMO App
    # API 代理 - 轉發到 MOMO App
    location /api/ {
        proxy_pass https://mo.wooo.work/api/;
        proxy_set_header Host mo.wooo.work;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ssl_verify off;
    }
    location = / {
        try_files /index.html =404;
    }

    # =========================================================================
    # Docker Grafana (Port 3000)
    # =========================================================================
    location /grafana/ {
        proxy_pass http://grafana_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket 支援
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # =========================================================================
    # K8s Grafana (NodePort 30030)
    # =========================================================================
    location /k8s-grafana/ {
        proxy_pass http://k8s_grafana_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_redirect / /k8s-grafana/;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        sub_filter_once off;
        sub_filter_types text/html application/javascript;
        sub_filter 'src="/' 'src="/k8s-grafana/';
        sub_filter '"/api/' '"/k8s-grafana/api/';
    }

    # =========================================================================
    # Prometheus (Port 9090)
    # =========================================================================
    location /prometheus/ {
        proxy_pass http://prometheus_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_redirect / /prometheus/;
    }

    # =========================================================================
    # Alertmanager (Port 9093)
    # =========================================================================
    location /alertmanager/ {
        proxy_pass http://alertmanager_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_redirect / /alertmanager/;
    }

    # =========================================================================
    # Portainer (Port 9000)
    # =========================================================================
    location /portainer/ {
        proxy_pass http://portainer_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /portainer/api/ {
        proxy_pass http://portainer_backend/api/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # =========================================================================
    # n8n (Port 5678)
    # =========================================================================
    location /n8n/ {
        proxy_pass http://n8n_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }

    # =========================================================================
    # Apache Superset BI (Port 8088)
    # =========================================================================
    # 認證相關路徑重定向
    location = /login/ {
        return 302 /superset/login/;
    }
    location = /logout/ {
        return 302 /superset/logout/;
    }
    location ^~ /lang/ {
        return 302 /superset$request_uri;
    }
    location ^~ /users/ {
        return 302 /superset$request_uri;
    }

    location ^~ /static/ {
        return 302 /superset$request_uri;
    }

    # Superset 首頁特殊處理


    # Superset 登入頁面特殊處理
    location = /superset/login/ {
        proxy_pass http://superset_backend/login/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /superset/ {
        # 根路徑重定向到 welcome
        if ($request_uri = /superset/) {
            return 302 /superset/welcome/;
        }
        proxy_pass http://superset_backend;

        proxy_redirect ~^(/superset/.*)$ $1;
        proxy_redirect ~^/(?!superset)(.*)$ /superset/$1;

        gzip off;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        sub_filter '"/static/' '"/superset/static/';
        sub_filter "'/static/" "'/superset/static/";
        sub_filter_once off;
        sub_filter_types text/html application/javascript text/css;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
    }

    # =========================================================================
    # Loki (Port 3100)
    # =========================================================================
    location /loki/ {
        proxy_pass http://loki_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # =========================================================================
    # Metabase (Port 3001)
    # =========================================================================
    location /metabase/ {
        proxy_pass http://metabase_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_redirect / /metabase/;
    }

    # =========================================================================
    # cAdvisor (Port 8080)
    # =========================================================================
    location /cadvisor/ {
        proxy_pass http://cadvisor_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_redirect / /cadvisor/;
    }

    # =========================================================================
    # Blackbox Exporter (Port 9115)
    # =========================================================================
    location /blackbox/ {
        proxy_pass http://blackbox_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # =========================================================================
    # Node Exporter (Port 9100)
    # =========================================================================
    location /node-exporter/ {
        proxy_pass http://node_exporter_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # =========================================================================
    # PostgreSQL Exporter (Port 9187)
    # =========================================================================
    location /postgres-exporter/ {
        proxy_pass http://postgres_exporter_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # =========================================================================
    # Docker Registry (Port 5002)
    # =========================================================================
    location /registry/ {
        proxy_pass http://registry_backend/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Registry 需要大檔案上傳
        client_max_body_size 0;
        proxy_read_timeout 900;
        proxy_send_timeout 900;
    }
}

# =============================================================================
# gitlab.wooo.work - GitLab (僅內網)
# =============================================================================
server {
    listen 80;
    server_name gitlab.wooo.work;

    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;

    location / {
        proxy_pass http://gitlab_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_buffers 8 32k;
        proxy_buffer_size 64k;
        client_max_body_size 0;
        proxy_read_timeout 600s;
    }
}

# =============================================================================
# cloud.wooo.work - Nextcloud (僅內網)
# =============================================================================
server {
    listen 80;
    server_name cloud.wooo.work;

    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;

    location / {
        proxy_pass http://nextcloud_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 10G;
        proxy_read_timeout 600s;
    }
}

# =============================================================================
# grist.wooo.work - Grist (僅內網)
# =============================================================================
server {
    listen 80;
    server_name grist.wooo.work;

    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;

}
