infrastructure/ansible/roles/ingress/files/nginx.conf

worker_processes 1;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server_tokens off;

    server {
        listen 80;
        server_name _;
        return 308 https://$host$request_uri;
    }
}

stream {

    log_format access '$remote_addr [$time_local] '
                    '$protocol $status $bytes_sent $bytes_received '
                    '$session_time "$upstream_addr" '
                    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log /var/log/nginx/access.log access;

    # Internal LAN route
    server {
        listen 443;
        listen 8448;
        proxy_pass {{ pve_hosts.docker.ip }}:443;
        proxy_protocol on;
    }

    # External routes
    server {
        listen 8443 proxy_protocol;
        proxy_protocol on;
        proxy_pass {{ pve_hosts.docker.ip }}:443;
        set_real_ip_from {{ wireguard.server.ip }};
    }
}