server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2;
	server_name {{ monitoring_domain }};

	{% if monitoring_bootstrap_cert %}
	include "snippets/snakeoil.conf";
	{% else %}
	ssl_certificate     "/var/lib/dehydrated/certs/{{ monitoring_domain }}/fullchain.pem";
	ssl_certificate_key "/var/lib/dehydrated/certs/{{ monitoring_domain }}/privkey.pem";
	{% endif %}

	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-Robots-Tag noindex;

	location / {
		proxy_pass http://localhost:9000/;
		include proxy_params;
	}

	location /prometheus/ {
		proxy_pass http://localhost:9090/prometheus/;
		include proxy_params;

		{% for range in trusted_ranges %}
		allow "{{ range.cidr }}";
		{% endfor %}
		allow "127.0.0.1";
		allow "::1";
		deny all;
	}

	include "snippets/acme.conf";
}

server {
	listen 80 default_server;
	listen [::]:80;
	server_name {{ monitoring_domain }};

	location / {
		rewrite ^/(.*) https://$server_name$request_uri? redirect;
	}

	include "snippets/acme.conf";
}