apiVersion: v1
kind: ConfigMap
metadata:
  namespace: {{ deploy.namespace }}
  name: stream-lb-{{ deploy.stream }}
  labels:
    app: nginx
    type: stream-lb
    stream: {{ deploy.stream }}
data:
  nginx.conf: |
    worker_processes 4;
    pid /srv/nginx.pid;
    error_log /dev/stderr notice;

    events {
      worker_connections 768;
      # multi_accept on;
    }

    http {
      sendfile on;
      tcp_nopush on;
      tcp_nodelay on;
      keepalive_timeout 65;
      types_hash_max_size 2048;

      server_names_hash_bucket_size 64;

      include /etc/nginx/mime.types;
      default_type application/octet-stream;

      access_log /dev/null;

      upstream streamers {
{% for streamer in deploy.streamers %}
        server localhost:{{ 10000 + loop.index }};
{% endfor %}
      }

      server {
        listen {{ desc.streams[deploy.stream].port }} ssl default_server;
        listen [::]:{{ desc.streams[deploy.stream].port }} ssl default_server;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5;
        ssl_prefer_server_ciphers on;

        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;

        ssl_certificate /srv/acme/fullchain;
        ssl_certificate_key /srv/acme/privkey;

        server_name _;

        root /srv/www;

        location / {
          proxy_pass http://streamers;
        }
      }

{% for streamer in deploy.streamers %}
      server {
        listen localhost:{{ 10000 + loop.index }};

        expires -1s;
        add_header Cache-Control "no-store,must-revalidate,max-age=0";
        location / {
          return 302 https://{{ streamer }}:{{ desc.streams[deploy.stream].port }}$request_uri;
        }
      }
{% endfor %}
    }