# This file is managed by Ansible. Do not make configuration changes directly.

map $scheme $hsts_header {
	https "max-age=63072000; preload";
}

server {
	listen 80;
	listen 443 ssl http2;

	server_name {{ item.fqdn }};

	ssl_certificate /etc/letsencrypt/live/{{ item.cert_domain|default(item.fqdn) }}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/{{ item.cert_domain|default(item.fqdn) }}/privkey.pem;

	if ($http_user_agent ~* "gptbot") {
		return 444;
	}

	if ($scheme = "http") {
		return 301 https://$host$request_uri;
	}

	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $http_connection;
	proxy_http_version 1.1;
	add_header Strict-Transport-Security $hsts_header always;

	{% if item.restricted|default(false) %}
	{% for ip in (item.allowed_ips|default(["10.242.0.0/16"])) %}
	allow {{ ip }};
	{% endfor %}
	deny all;
	satisfy all;
	{% endif %}

	client_max_body_size {{ item.max_upload|default("1M") }};	

	location / {
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $http_connection;
		proxy_http_version 1.1;
		add_header X-Served-By $host;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-Scheme $scheme;
		proxy_set_header X-Forwarded-Proto  $scheme;
		proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
		proxy_set_header X-Real-IP          $remote_addr;
		proxy_pass       {{ item.upstream }}$request_uri;
	}
}