# Managed by Ansible

server {
    server_name numquam.trygvis.io;

#    listen 443 default_server ssl;
#    include /etc/letsencrypt/options-ssl-nginx.conf;
#    ssl_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/numquam.trygvis.io/privkey.pem; # managed by Certbot
#    ssl_trusted_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem;

    listen 80 default_server;

    location / {
        # Pløens gate 4
        allow 77.40.158.96/27;
        allow 2001:840:4b0b::/48;

        # Cloudflare
        allow 2400:cb00::/32;
        allow 2405:8100::/32;
        allow 2405:b500::/32;
        allow 2606:4700::/32;
        allow 2803:f800::/32;
        allow 2c0f:f248::/32;
        allow 2a06:98c0::/29;
        allow 103.21.244.0/22;
        allow 103.22.200.0/22;
        allow 103.31.4.0/22;
        allow 104.16.0.0/12;
        allow 108.162.192.0/18;
        allow 131.0.72.0/22;
        allow 141.101.64.0/18;
        allow 162.158.0.0/15;
        allow 172.64.0.0/13;
        allow 173.245.48.0/20;
        allow 188.114.96.0/20;
        allow 190.93.240.0/20;
        allow 197.234.240.0/22;
        allow 198.41.128.0/17;

        deny all;
        try_files $uri @proxy;
    }

    location @proxy {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://127.0.0.1:{{ rosin.http_port }};
    }
}