# 04 — SWAG Nginx Proxy Configs (Prod)

## Context

Production uses the same SWAG template files as test, with production subdomain values and StorageBox-backed output directories.

## Required Environment Variables

The production env file is `prod/secrets/iklim.co/.env` on StorageBox.

```bash
API_SUBDOMAIN=api.iklim.co
APIGW_SUBDOMAIN=apigw.iklim.co
RABBITMQ_SUBDOMAIN=rabbitmq.iklim.co
GRAFANA_SUBDOMAIN=grafana.iklim.co
RESTRICTED_IPS="78.187.87.109/32,95.70.151.248/32"

SWAG_CERT_DIR=/mnt/storagebox/ssl
SWAG_DNS_CONFIG_DIR=/mnt/storagebox/swag/dns-conf
SWAG_SITE_CONFS_DIR=/mnt/storagebox/swag/site-confs
SWAG_PROXY_CONFS_DIR=/mnt/storagebox/swag/proxy-confs
```

## Template Files

The shared templates live under root `template/swag/`:

- `template/swag/dns-conf/godaddy.ini.tpl`
- `template/swag/site-confs/default.conf`
- `template/swag/site-confs/api.conf.tpl`
- `template/swag/site-confs/apigw.conf.tpl`
- `template/swag/site-confs/rabbitmq.conf.tpl`
- `template/swag/site-confs/grafana.conf.tpl`

## Deploy Behavior

The production workflow renders:

- GoDaddy DNS credentials into `$SWAG_DNS_CONFIG_DIR/godaddy.ini`.
- SWAG site configs into `$SWAG_SITE_CONFS_DIR`.
- Optional proxy configs into `$SWAG_PROXY_CONFS_DIR` when templates exist.

Because StorageBox is mounted on the service nodes, files rendered by the runner are visible to SWAG regardless of which service node runs the container.

## Verification

```bash
cat /mnt/storagebox/swag/site-confs/api.conf | grep server_name
docker exec $(docker ps -q -f name=iklimco_swag | head -1) nginx -t
curl -si https://api.iklim.co/health
```

Expected:

- `server_name api.iklim.co;`
- Nginx config syntax is valid.
- Public API returns an APISIX response with a valid `*.iklim.co` certificate.

## Historical / Superseded by Setup

The previous `SWAG_CONFIG_DIR=/mnt/storagebox/swag/config` and `.env.prod` references are superseded. Use the split `SWAG_DNS_CONFIG_DIR`, `SWAG_SITE_CONFS_DIR`, and `SWAG_PROXY_CONFS_DIR` variables from the current setup.