{{ ansible_managed | comment }}

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    #worker_processes auto; # <- default is 1
}

http {
    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    server_tokens off;

    server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip off; # compression and crypto don't mix
    # include /etc/nginx/conf.d/*.conf;  # Ansible

    include /etc/nginx/snippets/connection_upgrade.conf;

    include /etc/nginx/sites-enabled/*;
}

stream {
    # Map the SNI from the TLS hello packet to an upstream server.
    # This allow to RP request without breaking the TLS encryption
    # like a proxy_pass does
    map $ssl_preread_server_name $upstream_server {
        acme-v02.api.letsencrypt.org    acme;
        r3.o.lencr.org                  r3;
        {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
        {{ rp.value.sni_server_name }}   {{ rp.key }};
        {% endfor %}
        default                         local;
    }

    # let's encrypt servers, to generate LE cert from isolated network
    upstream acme {
        server acme-v02.api.letsencrypt.org:443;
    }
    upstream r3 {
        server r3.o.lencr.org:443;
    }
    {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
    upstream {{ rp.key }} {
        server {{ rp.value.to }}:{{ rp.value.to_port | default('443') }};
    }
    {%- endfor %}
    # default to this server sites
    upstream local {
        server 127.0.0.1:8443;
    }

    server {
        listen 0.0.0.0:443;
        proxy_pass $upstream_server;
        ssl_preread on;
    }
}