events {
    worker_connections 1024;
}

http {
    # Use Docker's embedded DNS resolver so container names resolve dynamically.
    # This is critical — without it nginx resolves upstream names at startup only
    # and won't pick up newly provisioned tenant containers.
    resolver 127.0.0.11 valid=5s ipv6=off;

    # Shared log format
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent"';

    access_log /var/log/nginx/access.log main;
    error_log  /var/log/nginx/error.log warn;

    # Redirect all HTTP → HTTPS
    server {
        listen 80 default_server;
        return 301 https://$host$request_uri;
    }

    # Pick up per-tenant server blocks dropped by the provisioning worker
    include /etc/nginx/conf.d/*.conf;
}