# Redirect HTTP to HTTPS
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	server_name _;
	
	return 308 https://$host$request_uri;
}


# Default HTTPS server
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	server_name _;
	server_name_in_redirect off;
	
	return 404;
}


# Base domain redirect
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name viyurz.fr;

	location = /.well-known/matrix/server {
		default_type application/json;
		return 200 '{ "m.server": "matrix.viyurz.fr:443" }';
	}

	location = /.well-known/matrix/client {
		default_type application/json;
		add_header Access-Control-Allow-Origin '*';
		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
		add_header Set-Cookie "Path=/; HttpOnly; Secure";
		return 200 '{ "m.homeserver": { "base_url": "https://matrix.viyurz.fr" } }';
	}

	location / {
		return 308 https://www.viyurz.fr$request_uri;
	}
}


# Downloads
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name dl.viyurz.fr;

	root /var/www/html;
}


# Homepage
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name www.viyurz.fr;

	location / {
		proxy_pass http://localhost:8082;
	}
}


# Element
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name element.viyurz.fr;

	location / {
		proxy_pass http://localhost:8084;

		add_header X-Frame-Options SAMEORIGIN;
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header Content-Security-Policy "frame-ancestors 'none'";
	
		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
		add_header X-Robots-Tag "noindex, nofollow" always;
		add_header Set-Cookie "Path=/; HttpOnly; Secure";
	}
}


# Etebase
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name etebase.viyurz.fr;
	
	location ~ ^/(?!admin) {
		proxy_pass http://localhost:3735;
	}
}


# Kavita
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name kavita.viyurz.fr;

	location / {
		proxy_pass http://localhost:5000;
	}
}


# Nextcloud
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name nc.viyurz.fr;

	location / {
		proxy_pass http://localhost:11000;

		add_header Set-Cookie "Path=/; HttpOnly; Secure";

		# Websocket
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
		proxy_set_header Accept-Encoding "";

		client_body_buffer_size 512k;
		proxy_read_timeout 86400s;
		client_max_body_size 0;
	}
}


# SearxNG
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name searx.viyurz.fr;

	location / {
		proxy_pass http://localhost:8083;

		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
		add_header Set-Cookie "Path=/; HttpOnly; Secure";
		add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
	}
}


# Synapse
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name matrix.viyurz.fr;

	location ~ ^(/_matrix|/_synapse/client) {
		proxy_pass http://localhost:8008;

		# Nginx by default only allows file uploads up to 1M in size
		# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
		client_max_body_size 50M;   
	}

	location / {
		return 308 https://element.viyurz.fr/;
	}
}


# Syncthing Discovery
upstream stdisco.viyurz.fr {
	# Local IP address:port for discovery server
	server localhost:8443;
}
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name stdisco.viyurz.fr;
	
	ssl_verify_client optional_no_ca;

	location / {
		proxy_pass http://stdisco.viyurz.fr;
		
		proxy_set_header X-Client-Port $remote_port;
		proxy_set_header X-SSL-Cert $ssl_client_cert;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $http_connection;
	}
}


# Vaultwarden
upstream vaultwarden-default {
	zone vaultwarden-default 64k;
	server localhost:8081;
	keepalive 2;
}
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;	
	
	server_name vw.viyurz.fr;

	location / {
		proxy_pass http://vaultwarden-default;
		
		# Websocket
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;

		client_max_body_size 525M;
	}
}