# Create a map of known attack locations
map $request_uri $block_uri {
    default 0;
    ~*/wp-.* 1;
    ~*\.env 1;
    /etc 1;
}

# Redirect all HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name m5p3nc3r.co.uk www.m5p3nc3r.co.uk
                gitea.m5p3nc3r.co.uk
                apptabulous.co.uk www.apptabulous.co.uk
                hub.apptabulous.co.uk;

    return 301 https://$host$request_uri;
}

# m5p3nc3r webserver
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name m5p3nc3r.co.uk www.m5p3nc3r.co.uk;

    ssl_certificate /etc/letsencrypt/live/m5p3nc3r.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/m5p3nc3r.co.uk/privkey.pem;

    add_header Strict-Transport-Security "max-age=31536000" always;

    if ($block_uri = 1) {
        return 403;
    }

    location / {
        proxy_pass http://website:3000;
    }
}

# gitea.m5p3nc3r webserver
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name gitea.m5p3nc3r.co.uk;

    ssl_certificate /etc/letsencrypt/live/m5p3nc3r.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/m5p3nc3r.co.uk/privkey.pem;

    add_header Strict-Transport-Security "max-age=31536000" always;

    location / {
        proxy_pass http://gitea:3000;
    }
}

# apptabulous webserver
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name apptabulous.co.uk www.apptabulous.co.uk;

    ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;

    add_header Strict-Transport-Security "max-age=31536000" always;

    if ($block_uri = 1) {
        return 403;
    }

    location / {
        proxy_pass http://apptabulous_website:3000;
    }
}

# Container registry
# server {
#     listen 443 ssl;
#     listen [::]:443 ssl;
#     server_name hub.apptabulous.co.uk;

#     ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
#     ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;

#     # disable any limits to avoid HTTP 413 for large image uploads
#     client_max_body_size 0;

#     # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
#     chunked_transfer_encoding on;

#     location / {
#         proxy_pass http://rpi4-2:5000;
#     }
# }

# Watchtower
# server {
#     listen 443 ssl;
#     listen [::]:443 ssl;
#     server_name watchtower.apptabulous.co.uk;

#     ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
#     ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;

#     location / {
#         proxy_pass http://rpi4-2:8080;
#     }
# }