# {{ ansible_managed }}

limit_req_zone $binary_remote_addr zone=req_gitea_login:10m rate=10r/m;

upstream gitea_backend {
{% if gitea_config.server.protocol is defined and
      gitea_config.server.protocol == 'unix' %}
    server unix:{{ gitea_config.server.http_addr }};
{% else %}
    server 127.0.0.1:{{ gitea_port }};
{% endif %}
}

server {
    listen 80;
{% if ansible_all_ipv6_addresses | length %}
    listen [::]:80;
{% endif %}
    server_name {{ gitea_domain }};

    access_log /var/log/nginx/gitea.access.log main;
    error_log /var/log/nginx/gitea.error.log warn;

    location /.well-known/acme-challenge/ {
        root /var/www/html;
        try_files $uri =404;
    }

{% if gitea_ssl_enabled is defined and
      gitea_ssl_enabled %}
    location / {
        return 301 https://$server_name$request_uri;
    }
{% endif %}
}

{% if gitea_ssl_enabled is defined and
      gitea_ssl_enabled %}
server {
    listen 443 ssl http2;
{% if ansible_all_ipv6_addresses | length %}
    listen [::]:443 ssl http2;
{% endif %}
    server_name {{ gitea_domain }};

    access_log /var/log/nginx/gitea.access.log main;
    error_log /var/log/nginx/gitea.error.log warn;

{% if gitea_ssl_certificate is defined %}
    ssl_certificate {{ gitea_ssl_certificate }};
{% endif %}
{% if gitea_ssl_certificate_key is defined %}
    ssl_certificate_key {{ gitea_ssl_certificate_key }};
{% endif %}
{% if gitea_ssl_dhparam is defined %}
    ssl_dhparam {{ gitea_ssl_dhparam }};
{% endif %}

    location ~ /user\/login {
        limit_req zone=req_gitea_login burst=10;
        proxy_pass http://gitea_backend;
    }

    location / {
        limit_req zone=req_bad_actors burst=10 nodelay;
        proxy_pass http://gitea_backend;
    }
}
{% endif %}