{{ ansible_managed | comment }}

{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name    = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #}
{% set enable_hsts    = item.enable_hsts | default(false) %}
{% set has_wordpress  = item.has_wordpress | default(false) %}
{% set needs_php      = item.needs_php | default(false) %}
{% set has_gitea      = item.has_gitea | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{%   set document_root = item.document_root %}
{% else %}
{%   set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}

# http -> https vhost
server {
    listen 80;
    listen [::]:80;
    server_name {{ domain_name }} {{ domain_aliases }};

    {% include 'well-known.j2' %}

    # redirect http -> https
    location / {
        # ? in rewrite makes sure nginx doesn't append query string again
        # see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
        rewrite ^ https://{{ domain_name }}$request_uri? permanent;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    root {{ document_root }};

    {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
    server_name {{ domain_name }} {{ domain_aliases }};

    index {% if has_wordpress == true or needs_php == true %}index.php{% else %}index.html{% endif %};

    access_log  /var/log/nginx/{{ domain_name }}-access.log;
    error_log   /var/log/nginx/{{ domain_name }}-error.log;

    {% include 'https.j2' %}

    {% if has_wordpress == true %}
        {% include 'wordpress.j2' %}
    {% endif %}

    {% if has_gitea == true %}
        {% include 'gitea.j2' %}
    {% endif %}

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    {% if has_wordpress == true or needs_php == true %}
    location ~ [^/]\.php(/|$) {
        # Zero-day exploit defense.
        # http://forum.nginx.org/read.php?2,88845,page=3
        # Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine.  And then cross your fingers that you won't get hacked.
        try_files $uri =404;

        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        fastcgi_split_path_info ^(.+\.php)(/.+)$;

        # Protect against "HTTPoxy" vulnerability in PHP libraries
        # See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
        # See: https://httpoxy.org/
        fastcgi_param HTTP_PROXY "";

        {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
        fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
        {% elif (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '==')) %}
        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
        {% else %}
        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
        {% endif %}
        fastcgi_index index.php;
        # set script path relative to document root in server block
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;

        fastcgi_cache global;
        # Set X-Fastcgi-Cache header to "HIT", "MISS", "BYPASS", etc
        add_header X-Fastcgi-Cache $upstream_cache_status;
        # Don't cache when user shift-refreshes (Pragma: no-cache) or when a user is logged in!
        fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
        fastcgi_no_cache $http_pragma $wordpress_logged_in;

        {% if enable_hsts == true %}
        # Enable this if you want HSTS (recommended, but be careful)
        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
        # See: https://hstspreload.appspot.com/
        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
        {% endif %}

        include extra-security.conf;
    }
    {% endif %}

    include extra-security.conf;
}

{% if has_wordpress == true %}
# Check if a user is logged in
# if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0
# See: http://jeradbitner.com/2012/02/nginx-do-not-cache-logged-in-drupal-or-wordpress-users/
# See: http://syshero.org/post/50053543196/disable-nginx-cache-based-on-cookies
# See nginx bug: http://trac.nginx.org/nginx/ticket/707
map $http_cookie $wordpress_logged_in {
    default 0;

    ~wordpress_logged_in 1;
}
{% endif %}