# {{ ansible_managed }}

server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
	server_name {{ etherpad_domain }};

	{% if acme_bootstrap_certs %}
	include "snippets/snakeoil.conf";
	{% else %}
	ssl_certificate     "/var/lib/dehydrated/certs/{{ etherpad_domain }}/fullchain.pem";
	ssl_certificate_key "/var/lib/dehydrated/certs/{{ etherpad_domain }}/privkey.pem";
	{% endif %}

	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Content-Type-Options nosniff;

	location / {
		proxy_pass http://127.0.0.1:9001/;
		include proxy_params;

		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $http_connection;
	}

	include "snippets/acme.conf";
}

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name {{ etherpad_domain }};

	location / {
		rewrite ^/(.*) https://$server_name$request_uri? redirect;
	}

	include "snippets/acme.conf";
}