log_format gateway '$remote_addr [$time_local] '
                '$protocol $status $bytes_sent $bytes_received '
                '$session_time "$ssl_preread_server_name" '
                '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';

access_log /var/log/nginx/gateway.log gateway;
access_log /var/log/nginx/ips.log ips;

map $ssl_preread_server_name $gateway_destination {
    default                      {{ wireguard.clients.ingress.ip }}:8443;

    headscale.jakehoward.tech    127.0.0.1:8888;

    {% for domain in cdn_domains %}
    {{ domain }}  127.0.0.1:8800;
    {% endfor %}
}

server {
    listen 443;
    listen 8448;
    listen [::]:443;
    listen [::]:8448;
    proxy_pass $gateway_destination;
    proxy_protocol on;
}

server {
    listen [{{ vps_hosts.private_ipv6_marker }}]:443;
    listen [{{ vps_hosts.private_ipv6_marker }}]:8448;

    access_log off;

    deny all;

    # This is never used, but need to keep nginx happy
    proxy_pass 127.0.0.1:80;
}