# {{ ansible_managed }}

proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cdncache:20m max_size=1g inactive=48h;

{% for domain in cdn_domains %}
server {
    listen 8800 ssl http2 proxy_protocol;

    server_name {{ domain }};

    ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;

    include includes/ssl.conf;

    real_ip_header proxy_protocol;

    set_real_ip_from 127.0.0.1;

    proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;

    location / {
        proxy_cache cdncache;
        add_header X-Cache-Status $upstream_cache_status;
        proxy_pass https://{{ wireguard.clients.ingress.ip }}:443;
    }
}
{% endfor %}