user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

{% if nginx_openresty %}
# Openresty uses builtin modules, not dynamic ones
{% else %}
include /etc/nginx/ansible_modules.d/*.conf;
{% endif %}

events {
  worker_connections 1024;
}

http {

  server_names_hash_max_size 1024;

{% if nginx_openresty %}
  # Set nginx compatible paths for openresty
  client_body_temp_path /var/lib/nginx/tmp/client_body;
  fastcgi_temp_path /var/lib/nginx/tmp/fastcgi;
  proxy_temp_path /var/lib/nginx/tmp/proxy;
  scgi_temp_path /var/lib/nginx/tmp/scgi;
  uwsgi_temp_path /var/lib/nginx/tmp/uwsgi;
{% endif %}

  log_format combined_virtual
               '$server_name $remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" scheme="$scheme"';

  log_format combined_virtual_backend
               '$server_name $http_x_forwarded_for - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" scheme="$scheme"';

{% if nginx_llng.stat.exists %}
  log_format combined_virtual_llng
               '$server_name $remote_addr - $lmremote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" scheme="$scheme"';

  log_format combined_virtual_backend_llng
               '$server_name $http_x_forwarded_for - $lmremote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" scheme="$scheme"';
{% else %}
  # LL::NG not installed, just make those log formats aliases of the non llng formats
  log_format combined_virtual_llng
               '$server_name $remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" scheme="$scheme"';

  log_format combined_virtual_backend_llng
               '$server_name $http_x_forwarded_for - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" scheme="$scheme"';
{% endif %}

  access_log /var/log/nginx/access.log {{ nginx_log_format }};

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  client_max_body_size 10m;

  server_tokens off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  include /etc/nginx/ansible_conf.d/*.conf;

  map $scheme $hsts_header {
    https 'max-age=31536000';
  }

{% if '_' not in nginx_vhosts | map(attribute='name') | list %}
  server {
    listen 80{% if nginx_default_vhost_name == '_' %} default_server{% endif %};
    listen 443{% if nginx_default_vhost_name == '_' %} default_server{% endif %} ssl http2;

    server_name {{ nginx_default_vhost_name }};
    root /usr/share/nginx/html;

    # Load location fragments in the default vhost
    include /etc/nginx/ansible_location.d/*.conf;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
{% if nginx_hsts %}
    add_header Strict-Transport-Security $hsts_header;
{% endif %}

    include /etc/nginx/ansible_conf.d/acme.inc;

    location / {
    }

    location ~ \.ht {
      deny all;
    }
  }
{% endif %}
}