# Static web vhost for {{ hostname }}
# Managed by Ansible - DO NOT EDIT MANUALLY

server {
    listen 80;
    listen [::]:80;
    server_name {{ hostname }};

{% if site_config.ssl_enabled | default(true) %}
    # Certbot webroot for ACME challenges
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # Redirect to HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name {{ hostname }};

    # Let's Encrypt certificates (managed by Certbot)
    ssl_certificate /etc/letsencrypt/live/{{ hostname }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ hostname }}/privkey.pem;

    # SSL configuration
    ssl_protocols {{ nginx_ssl_protocols | default('TLSv1.3') }};
    ssl_prefer_server_ciphers on;
{% endif %}

    # Document root
{% if site_config.root_dir is defined and site_config.root_dir | length > 0 %}
    root {{ static_web_base_dir }}/{{ hostname }}/{{ site_config.root_dir }};
{% else %}
    root {{ static_web_base_dir }}/{{ hostname }};
{% endif %}

    # Index files
    index index.html index.htm;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
{% if site_config.ssl_enabled | default(true) %}
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
{% endif %}

    # Logging
{% if nginx_log_backend | default('journald') == 'journald' %}
    access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_{{ hostname | replace('.', '_') | replace('-', '_') }};
    error_log syslog:server=unix:/dev/log,nohostname,tag=nginx_{{ hostname | replace('.', '_') | replace('-', '_') }};
{% else %}
    access_log /var/log/nginx/{{ hostname }}-access.log;
    error_log /var/log/nginx/{{ hostname }}-error.log;
{% endif %}

    # Main location
    location / {
        try_files $uri $uri/ =404;
    }

    # Deny access to hidden files
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Static file caching
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}