# {{ ansible_managed }}

limit_req_zone $binary_remote_addr zone=headscale:10m rate=1r/m;

server {
    listen 8888 ssl http2 proxy_protocol;

    server_name headscale.jakehoward.tech;

    ssl_certificate /etc/letsencrypt/live/headscale.jakehoward.tech/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/headscale.jakehoward.tech/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/headscale.jakehoward.tech/chain.pem;
    include includes/ssl.conf;

    real_ip_header proxy_protocol;

    set_real_ip_from 127.0.0.1;

    location / {
        proxy_pass http://localhost:8416;
    }

    location /oidc {
        # 3 should be enough for the redirect, callback plus 1 error
        limit_req zone=headscale burst=3 nodelay;
        limit_req_status 429;

        proxy_pass http://localhost:8416;
    }

    # Block access to the API entirely - I'm not using it
    location /api {
        return 403;
    }
}