ansible/roles/grafana/templates/nginx.conf.j2

# {{ ansible_managed }}

limit_req_zone $binary_remote_addr zone=req_grafana_login:10m rate=10r/m;

upstream grafana_backend {
    server 127.0.0.1:{{ grafana_port }};
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 80;
{% if ansible_all_ipv6_addresses | length %}
    listen [::]:80;
{% endif %}
    server_name {{ grafana_domain }};

    access_log /var/log/nginx/grafana.access.log main;
    error_log /var/log/nginx/grafana.error.log warn;

    location /.well-known/acme-challenge/ {
        root /var/www/html;
        try_files $uri =404;
    }

{% if grafana_ssl_enabled is defined and
      grafana_ssl_enabled %}
    location / {
        return 301 https://$server_name$request_uri;
    }
{% endif %}
}

{% if grafana_ssl_enabled is defined and
      grafana_ssl_enabled %}
server {
    listen 443 ssl;
{% if ansible_all_ipv6_addresses | length %}
    listen [::]:443 ssl;
{% endif %}

    http2 on;

    server_name {{ grafana_domain }};

    access_log /var/log/nginx/grafana.access.log main;
    error_log /var/log/nginx/grafana.error.log warn;

{% if grafana_ssl_certificate is defined %}
    ssl_certificate {{ grafana_ssl_certificate }};
{% endif %}
{% if grafana_ssl_certificate_key is defined %}
    ssl_certificate_key {{ grafana_ssl_certificate_key }};
{% endif %}
{% if grafana_ssl_dhparam is defined %}
    ssl_dhparam {{ grafana_ssl_dhparam }};
{% endif %}

    proxy_set_header Host $http_host;

    location /login {
        limit_req zone=req_grafana_login burst=10;
        proxy_pass http://grafana_backend;
    }

    location / {
        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
        limit_req zone=req_bad_actors burst=10 nodelay;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $http_host;
        proxy_pass http://grafana_backend;
    }
}
{% endif %}