${CONFIG_HEADER}

# taken from https://element-hq.github.io/synapse/latest/reverse_proxy.html
# mixed with https://github.com/wmnnd/nginx-certbot/tree/master/etc/nginx/conf.d/nginx

# log_format vhosts '$host $remote_addr - $remote_user [$time_local] '
#                   '"$request" $status $body_bytes_sent '
#                   '"$http_referer" "$http_user_agent"';
# access_log /dev/stdout vhosts;

server {
    server_name ${DOMAIN};
    server_tokens off;

    listen 80;

    location /.well-known/acme-challenge/ {
       root /var/www/certbot;
    }

    location ~ ^/.well-known/(matrix|element)/ {
        root /var/www;
    }

    # XXX: is this right? or should auth.$DOMAIN be the issuer?
    location /.well-known/openid-configuration {
        proxy_pass http://mas:8080;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }

    location / {
        return 301 https://${DOLLAR}host${DOLLAR}request_uri;
    }
}

server {
    server_name ${DOMAIN};
    server_tokens off;

    include /etc/nginx/conf.d/include/ssl.conf;

    location = / {
	return 302 https://${ELEMENT_WEB_FQDN};
    }

    location ~ ^/.well-known/(matrix|element)/ {
        root /var/www;
    }

    # XXX: is this right? or should auth.$DOMAIN be the issuer?
    location /.well-known/openid-configuration {
        proxy_pass http://mas:8080;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }
}

server {
    server_name ${ELEMENT_WEB_FQDN};
    server_tokens off;

    include /etc/nginx/conf.d/include/ssl.conf;

    location / {
        proxy_pass http://element-web;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }
}

server {
    server_name ${ELEMENT_CALL_FQDN};
    server_tokens off;

    include /etc/nginx/conf.d/include/ssl.conf;

    location / {
        proxy_pass http://element-call:8080;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }
}

server {
    server_name ${MAS_FQDN};
    server_tokens off;

    include /etc/nginx/conf.d/include/ssl.conf;

    location / {
        proxy_pass http://mas:8080;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }
}

server {
    server_name ${LIVEKIT_FQDN};
    server_tokens off;

    include /etc/nginx/conf.d/include/ssl.conf;

    location / {
        proxy_pass http://livekit:7880;
        proxy_http_version 1.1;
        proxy_set_header Upgrade ${DOLLAR}http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host ${DOLLAR}host;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }
}

server {
    server_name ${LIVEKIT_JWT_FQDN};
    server_tokens off;

    include /etc/nginx/conf.d/include/ssl.conf;

    location / {
        proxy_pass http://livekit-jwt:8080;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }
}

server {
    server_name ${HOMESERVER_FQDN};
    server_tokens off;

    include /etc/nginx/conf.d/include/ssl.conf;

    # For the federation port
    listen 8448 ssl default_server;
    listen [::]:8448 ssl default_server;

    # pass auth to MAS
    location ~ ^/_matrix/client/(.*)/(login|logout|refresh) {
        proxy_pass http://mas:8080;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }

    # use the generic worker as a synchrotron:
    # taken from https://element-hq.github.io/synapse/latest/workers.html#synapseappgeneric_worker

    location ~ ^/_matrix/client/(r0|v3)/sync${DOLLAR} {
        proxy_pass http://synapse-generic-worker-1:8081;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
    }

    location ~ ^/_matrix/client/(api/v1|r0|v3)/events${DOLLAR} {
        proxy_pass http://synapse-generic-worker-1:8081;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
    }

    location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync${DOLLAR} {
        proxy_pass http://synapse-generic-worker-1:8081;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
    }

    location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync${DOLLAR} {
        proxy_pass http://synapse-generic-worker-1:8081;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
    }

    location / {
        proxy_pass http://synapse:8008;
        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
        proxy_set_header Host ${DOLLAR}host;

        # Nginx by default only allows file uploads up to 1M in size
        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
        client_max_body_size 50M;
    }

    # Synapse responses may be chunked, which is an HTTP/1.1 feature.
    proxy_http_version 1.1;
}