worker_processes  auto;

error_log  /var/log/nginx/error.log;

load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;

{% if ansible_os_family != 'Archlinux'%}
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
{% endif %}

pcre_jit on;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    server_tokens off;
    more_clear_headers "Server";

    add_header Permissions-Policy "interest-cohort=()";

    types_hash_max_size 2048;
    types_hash_bucket_size 128;

    include includes/proxy.conf;

    # Helper variable for proxying websockets.
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    tcp_nopush     on;

    # Gzip basically everything if we can
    gzip on;
    gzip_vary on;
    gzip_types *;
    gzip_proxied any;
    gzip_comp_level 3;
    gzip_min_length 1024;

    brotli on;
    brotli_types *;
    brotli_comp_level 7;
    brotli_min_length 1024;

    keepalive_timeout  65;

    include /etc/nginx/http.d/*.conf;
}

stream {
    ssl_preread on;

    include /etc/nginx/stream.d/*.conf;
}