################################################################################
# This file was generated by Ansible for {{ansible_fqdn}}
# Do NOT modify this file by hand!
################################################################################

{% if item.key == "default" %}
server {
    listen        {{ item.value.listen | default(80) }} default_server;
    listen   [::]:{{ item.value.listen | default(80) }} default_server;
    server_name _;
    return        444;

    access_log /var/log/nginx/{{ item.key }}_access.log;
    error_log /var/log/nginx/{{ item.key }}_error.log error;

}

{% else %}
upstream {{ item.key }}_backend  {
{% for upstream in item.value.upstreams %}
    server {{upstream.backend_address}}:{{upstream.backend_port}};
{% endfor %}
}

server {
   listen         {{ item.value.listen | default(80) }};
   listen    [::]:{{ item.value.listen | default(80) }};
   server_name    {{ item.value.domains | join(' ') }};

   location / {
      gzip off;
      proxy_set_header X-Forwarded-Ssl on;
      client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Frame-Options SAMEORIGIN;
      proxy_pass http://{{ item.key }}_backend;
{% if item.value.auth is defined %}
      auth_basic "Restricted Content";
      auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd;
{% endif %}
   }

   location /.well-known {
      alias /var/www/{{ item.key }}/.well-known;
   }

   access_log /var/log/nginx/{{ item.key }}_access.log;
   error_log /var/log/nginx/{{ item.key }}_error.log error;

}
{% endif %}