##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##


# Default server configuration
#
server {
	listen 80 default_server;
	# listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}

server {
	listen 80;
	server_name *.lab.home.hrajfrisbee.cz;

	location / {
    		proxy_pass http://docker-30:9080;
    		proxy_set_header Host $host;
	}
}



server {
	# listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
}

server {
	server_name teleport.hrajfrisbee.cz; # managed by Certbot
	location / {
		proxy_pass https://192.168.123.26:443;
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;

		# WebSocket upgrade settings - CRITICAL for Teleport
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";

		# Disable buffering, which can cause issues with real-time connections
		proxy_buffering off;		
	}

    listen 8443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/teleport.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/teleport.hrajfrisbee.cz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = teleport.hrajfrisbee.cz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 ;
    server_name teleport.hrajfrisbee.cz;
    return 404; # managed by Certbot


}

server {
	root /var/www/html;
	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
    server_name gitea.home.hrajfrisbee.cz; # managed by Certbot

	location / {
        proxy_pass http://docker-30:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
	}

	# Gitea Git over HTTP
	client_max_body_size 512m;

    listen 8443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = gitea.home.hrajfrisbee.cz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 ;
    server_name gitea.home.hrajfrisbee.cz;
    return 404; # managed by Certbot


}

server {
    server_name idm.home.hrajfrisbee.cz; # managed by Certbot

	location / {
		proxy_pass https://docker-30:8443;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

    listen 8443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/idm.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/idm.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = idm.home.hrajfrisbee.cz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen 80 ;
    server_name idm.home.hrajfrisbee.cz;
    return 404; # managed by Certbot
}

server {
    server_name jellyfin.home.hrajfrisbee.cz; # managed by Certbot


    # Security headers for media streaming
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    # Increase body size for high-res movie posters
    client_max_body_size 20M;

    location / {
        # Proxy to your Synology or VM IP and Jellyfin port (default 8096)
        proxy_pass https://docker-30:443;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering for smoother streaming
        proxy_buffering off;
    }

    listen 8443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/jellyfin.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/jellyfin.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = jellyfin.home.hrajfrisbee.cz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80 ;
    server_name jellyfin.home.hrajfrisbee.cz;
    return 404; # managed by Certbot


}


server {

	root /srv/webs/random-shit;
	server_name random-shit.hrajfrisbee.cz; # managed by Certbot
	
	# Enable directory browsing
	autoindex on;

	# Optional: Show file sizes in MB/GB instead of bytes
	autoindex_exact_size off;

	# Optional: Show file timestamps in your local server time
	autoindex_localtime on;
	
	# Optional: Choose format (html, xml, json, or jsonp)
	autoindex_format html;


    listen 8443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/random-shit.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/random-shit.hrajfrisbee.cz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = random-shit.hrajfrisbee.cz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen 80 ;
    server_name random-shit.hrajfrisbee.cz;
    return 404; # managed by Certbot
}

server {

	root /var/www/html;
    server_name vault.hrajfrisbee.cz; # managed by Certbot
	location / {
		proxy_pass http://docker-30:8200;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for Vault
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        # Timeouts for long-running ops
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;	}

    listen 8443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/vault.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/vault.hrajfrisbee.cz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = vault.hrajfrisbee.cz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen 80 ;
    server_name vault.hrajfrisbee.cz;
    return 404; # managed by Certbot
}

server {
    server_name maru-hleda-byt.home.hrajfrisbee.cz; # managed by Certbot

	location / {
		proxy_pass http://docker-30:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
	}

    listen 8443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/maru-hleda-byt.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/maru-hleda-byt.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = maru-hleda-byt.home.hrajfrisbee.cz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen 80 ;
    server_name maru-hleda-byt.home.hrajfrisbee.cz;
    return 404; # managed by Certbot
}

server {
    server_name fuj-management.home.hrajfrisbee.cz; # managed by Certbot

	location / {
		proxy_pass http://docker-30:8081;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
	}

    listen 8443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/fuj-management.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/fuj-management.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = fuj-management.home.hrajfrisbee.cz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen 80 ;
    server_name fuj-management.home.hrajfrisbee.cz;
    return 404; # managed by Certbot
}