# /etc/nginx/conf.d/00-captcha-init.conf
lua_package_path "/etc/nginx/lua/?.lua;;";

# A resolver is required by ngx.location.capture -> proxy_pass to Cloudflare.
resolver 1.1.1.1 1.0.0.1 8.8.8.8 ipv6=off valid=300s;
resolver_timeout 5s;

# Trust store + protocols for cosocket TLS (used to call siteverify)
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth        3;
lua_ssl_protocols           TLSv1.2 TLSv1.3;

lua_shared_dict ts_walkaway 10m;   # per-IP challenge counters
lua_shared_dict ts_reported 1m;    # IPs reported recently (15-min cooldown)

# Pre-load the module so the env file is read once per worker.
init_by_lua_block {
    require("captcha")
}

log_format ts '$remote_addr - $host "$request" $status $body_bytes_sent '
              'ts=$sent_http_x_turnstile '
              'rt=$request_time '
              'ua="$http_user_agent" ref="$http_referer"';