ansible/roles/git-server/templates/nginx-site.conf

# {{ ansible_managed }}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name {{ git_server_domain }};
	client_max_body_size 4G;

	{% if git_server_bootstrap_cert %}
	include "snippets/snakeoil.conf";
	{% else %}
	ssl_certificate     "/var/lib/dehydrated/certs/{{ git_server_domain }}/fullchain.pem";
	ssl_certificate_key "/var/lib/dehydrated/certs/{{ git_server_domain }}/privkey.pem";
	{% endif %}

	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-Robots-Tag noindex;

	location / {
		proxy_pass http://localhost:9001;
		include proxy_params;
	}

	location ~* \.keys$ {
		deny all;
	}

	include "snippets/acme.conf";
}

server {
	listen 80;
	listen [::]:80;
	server_name {{ git_server_domain }};

	location / {
		rewrite ^/(.*) https://$server_name$request_uri? redirect;
	}

	include "snippets/acme.conf";
}