# {{ansible_managed}}

server {
        listen 80;
        listen [::]:80;
        server_name {{gitea_domain}};

        # we need to define location otherwise takes over .well-known/
        location / {
                return 301 https://$host$request_uri;
        }

        # deal with http-01 challenges (no http2 there)
        location ^~ /.well-known/acme-challenge/ {
                default_type "text/plain";
                # trailing slash matters
                alias /var/www/dehydrated/;
        }
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name {{gitea_domain}};
	http2 on;

        access_log /var/log/nginx/{{ gitea_domain | regex_replace('^([^.]+)\..*', '\\1') }}.access.log json;
        error_log  /var/log/nginx/{{ gitea_domain | regex_replace('^([^.]+)\..*', '\\1') }}.error.log warn;

        # http-01 sample
        ssl_certificate     /etc/dehydrated/certs/{{gitea_domain}}/fullchain.pem;
        ssl_certificate_key /etc/dehydrated/certs/{{gitea_domain}}/privkey.pem;

{% for allow_ip in allow_ips %}
	allow {{allow_ip}};
{% endfor %}
{% if allow_ips is defined %}
	deny all;

{% endif %}
	location / {
		client_max_body_size 512M;
		proxy_pass http://127.0.0.1:3000;
		proxy_set_header Connection $http_connection;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

        ssi off;
        autoindex off;
        autoindex_exact_size off;
        location = /robots.txt          { access_log off; log_not_found off; }
        location = /favicon.ico         { access_log off; log_not_found off; }
        location ~ /apple-touch-icon    { access_log off; log_not_found off; }
}