# Ntfy vhost with Let's Encrypt (Certbot)
# Managed by Ansible - DO NOT EDIT MANUALLY

server {
    listen 80;
    server_name {{ ntfy_nginx_hostname }};

    # Certbot webroot for ACME challenges
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # Redirect to HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name {{ ntfy_nginx_hostname }};

    # Let's Encrypt certificates (managed by Certbot)
    ssl_certificate /etc/letsencrypt/live/{{ ntfy_nginx_hostname }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ ntfy_nginx_hostname }}/privkey.pem;

    # SSL configuration
    ssl_protocols {{ nginx_ssl_protocols }};
    ssl_prefer_server_ciphers {{ 'on' if nginx_ssl_prefer_server_ciphers else 'off' }};

{% if nginx_log_backend == 'journald' %}
    access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_ntfy;
    error_log syslog:server=unix:/dev/log,nohostname,tag=nginx_ntfy;
{% else %}
    access_log /var/log/nginx/{{ ntfy_nginx_hostname }}_access.log main;
    error_log /var/log/nginx/{{ ntfy_nginx_hostname }}_error.log;
{% endif %}

    client_max_body_size 20M;

    location / {
        proxy_pass http://127.0.0.1:{{ ntfy_port }};
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket and SSE support for ntfy
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Buffering must be off for SSE (Server-Sent Events)
        proxy_buffering off;

        # Timeouts for long-polling connections
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }
}