map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    client_max_body_size 64M;

    listen 80;
    server_name {{ domain_nextcloud }};

    location / {
        return 301 https://$host$request_uri;
    }

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/html/.well-known/acme-challenge/;
        default_type "text/plain";
        allow all;
    }
}

server {
    client_max_body_size 500M;

    listen 443 ssl http2;

    server_name {{ domain_nextcloud }};

    ssl_certificate /etc/nginx/placeholder.crt;
    ssl_certificate_key /etc/nginx/placeholder.key;

    #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    #auth_basic "Restricted Content";
    #auth_basic_user_file letsbe-htpasswd;
    
    location / {
        proxy_pass http://0.0.0.0:3023;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        #proxy_set_header X-Real-IP $http_cf_connecting_ip;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;
    
        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    #location /whiteboard/ {
    #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #    proxy_set_header Host $host;

    #    proxy_pass http://0.0.0.0:3002

    #    proxy_http_version 1.1;
    #    proxy_set_header Upgrade $http_upgrade;
    #    proxy_set_header Connection "upgrade";
    #}

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;

    # Optional settings:

    # OCSP stapling
    # ssl_stapling on;
    # ssl_stapling_verify on;
    # ssl_trusted_certificate /etc/letsencrypt/live/<your-nc-domain>/chain.pem;

    # replace with the IP address of your resolver
    # resolver 127.0.0.1; # needed for oscp stapling: e.g. use 94.140.15.15 for adguard / 1.1.1.1 for cloudflared or 8.8.8.8 for google - you can use the same nameserver as listed in your /etc/resolv.conf file

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/html/.well-known/acme-challenge/;
        default_type "text/plain";
        allow all;
    }
    location /.well-known/carddav {
            return 301 $scheme://$host/remote.php/dav;
    }
    location /.well-known/caldav {
            return 301 $scheme://$host/remote.php/dav;
    }
}

server {
    client_max_body_size 64M;

    listen 80;
    server_name {{ domain_collabora }};

    location / {
        return 301 https://$host$request_uri;
    }

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/html/.well-known/acme-challenge/;
        default_type "text/plain";
        allow all;
    }
}

server {
    client_max_body_size 64M;
    #large_client_header_buffers 4 16k;

    listen 443 ssl http2;

    server_name {{ domain_collabora }};

    ssl_certificate /etc/nginx/placeholder.crt;
    ssl_certificate_key /etc/nginx/placeholder.key;

    #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    #auth_basic "Restricted Content";
    #auth_basic_user_file letsbe-htpasswd;
    
    location / {
        proxy_pass https://0.0.0.0:3044;
        proxy_http_version 1.1;
        proxy_read_timeout 3600s;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host            $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header X-Frontend-Host $host;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    }

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/html/.well-known/acme-challenge/;
        default_type "text/plain";
        allow all;
    }
}

server {
    client_max_body_size 64M;
    #large_client_header_buffers 4 16k;
    listen 443 ssl http2;
    server_name {{ domain_whiteboard }};

    ssl_certificate /etc/nginx/placeholder.crt; 
    ssl_certificate_key /etc/nginx/placeholder.key; 

    #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    #auth_basic "Restricted Content";
    #auth_basic_user_file ;

    location / {
        proxy_pass http://0.0.0.0:3060;
        proxy_http_version 1.1;
        proxy_read_timeout 3600s;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header X-Frontend-Host $host;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    }

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/html/.well-known/acme-challenge/;
        default_type "text/plain";
        allow all;
    }
}