# {{ ansible_managed }} limit_req_zone $binary_remote_addr zone=headscale:10m rate=1r/m; server { listen 8888 ssl http2 proxy_protocol; server_name headscale.jakehoward.tech; ssl_certificate /etc/letsencrypt/live/headscale.jakehoward.tech/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/headscale.jakehoward.tech/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/headscale.jakehoward.tech/chain.pem; include includes/ssl.conf; real_ip_header proxy_protocol; set_real_ip_from 127.0.0.1; location / { proxy_pass http://localhost:8416; } location /oidc { # 3 should be enough for the redirect, callback plus 1 error limit_req zone=headscale burst=3 nodelay; limit_req_status 429; proxy_pass http://localhost:8416; } # Block access to the API entirely - I'm not using it location /api { return 403; } }