server {
  listen 443 ssl http2;
  server_name {{ vaultwarden_public_url | urlsplit('hostname') }};

  include /etc/nginx/ansible_conf.d/acme.inc;

{% if vaultwarden_cert_path is defined and vaultwarden_key_path is defined %}
  ssl_certificate     {{ vaultwarden_cert_path }};
  ssl_certificate_key {{ vaultwarden_key_path }};
{% elif vaultwarden_letsencrypt_cert is defined and vaultwarden_letsencrypt_cert == True %}
  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ vaultwarden_public_url | urlsplit('hostname') }}/fullchain.pem;
  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ vaultwarden_public_url | urlsplit('hostname') }}/privkey.pem;
{% elif vaultwarden_letsencrypt_cert is string %}
  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ vaultwarden_letsencrypt_cert }}/fullchain.pem;
  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ vaultwarden_letsencrypt_cert }}/privkey.pem;
{% endif %}

  root {{ vaultwarden_root_dir }}/web-vault;

  client_max_body_size 512M;

  if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) {
    return 405;
  }

  location /notifications/hub {
    proxy_pass http://localhost:{{ vaultwarden_ws_port }};
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  location /notifications/hub/negotiate {
    proxy_pass http://localhost:{{ vaultwarden_http_port }};
  }

  location @proxy {
    proxy_pass http://localhost:{{ vaultwarden_http_port }};
  }

  location / {
    try_files $uri $uri/index.html @proxy;
  }

  add_header X-Frame-Options "DENY";
  add_header X-Content-Type-Options "nosniff";
  add_header X-XSS-Protection "1; mode=block";
  add_header Strict-Transport-Security "$hsts_header";

  # Send info about the original request to the backend
  proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
  proxy_set_header X-Real-IP "$remote_addr";
  proxy_set_header X-Forwarded-Proto "$scheme";
  proxy_set_header X-Forwarded-Host "$host";
  proxy_set_header Host "$host";

  # Set the timeout to read responses from the backend
  proxy_read_timeout 60s;

  # Enable Keep Alive to the backend
  proxy_socket_keepalive on;

  # Disable buffering large files
  proxy_max_temp_file_size 5m;

  allow 127.0.0.1;
{% for ip in vaultwarden_web_src_ip %}
  allow {{ ip }};
{% endfor %}
  deny all;
}