#  Basic configuration
user nginx;
worker_processes 4;
error_log /dev/stderr info;
pid /var/run/nginx.pid;
load_module "modules/ngx_mail_module.so";

events {
    worker_connections  1024;
}

http {
    # Standard HTTP configuration with slight hardening
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    access_log /dev/stdout;
    sendfile on;
    keepalive_timeout  65;
    server_tokens off;
    absolute_redirect off;

    server {
      listen 80;

      # TLS configuration
      {% if TLS and not TLS_ERROR %}
      listen 443 ssl;
      include /etc/nginx/tls.conf;
      ssl_session_cache shared:SSLHTTP:50m;
      add_header Strict-Transport-Security max-age=15768000;

      if ($scheme = http) {
        return 301 https://$host$request_uri;
      }
      {% endif %}

      {% if TLS_FLAVOR == 'letsencrypt' %}
      location ^~ /.well-known/acme-challenge/ {
          proxy_pass http://localhost:8000;
      }
      {% endif %}

      # Actual logic
      {% if TLS_ERROR %}
      location / {
        return 403
      }
      {% else %}
      {% if WEBMAIL != 'none' %}
      location / {
        return 301 $scheme://$host/webmail/;
      }

      location {{ WEB_WEBMAIL }} {
        rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
        proxy_pass http://webmail;
      }
      {% endif %}

      {% if ADMIN == 'true' %}
      location {{ WEB_ADMIN }} {
        return 301 {{ WEB_ADMIN }}/ui;
      }
      location ~ {{ WEB_ADMIN }}/(ui|static) {
        rewrite ^{{ WEB_ADMIN }}/(.*) /$1 break;
        proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
        proxy_pass http://admin;
      }
      {% endif %}

      {% if WEBDAV != 'none' %}
      location /webdav {
        rewrite ^/webdav/(.*) /$1 break;
        proxy_pass http://webdav:5232;
      }
      {% endif %}
      {% endif %}
    }
}

mail {
    server_name {{ HOSTNAMES.split(",")[0] }};
    auth_http http://{{ ADMIN_ADDRESS }}/internal/nginx;
    proxy_pass_error_message on;

    {% if TLS and not TLS_ERROR %}
    include /etc/nginx/tls.conf;
    ssl_session_cache shared:SSLMAIL:50m;
    {% endif %}

    server {
      listen 25;
      {% if TLS_FLAVOR != 'notls' %}
      starttls on;
      {% endif %}
      protocol smtp;
      smtp_auth none;
    }

    {% if not TLS_ERROR %}
    server {
      listen 143;
      {% if TLS %}
      starttls only;
      {% endif %}
      protocol imap;
      imap_auth plain;
    }

    {% if TLS %}
    server {
      listen 465 ssl;
      protocol smtp;
      smtp_auth plain;
    }

    server {
      listen 597;
      starttls only;
      protocol smtp;
      smtp_auth plain;
    }

    server {
      listen 993 ssl;
      protocol imap;
      imap_auth plain;
    }
    {% endif %}
    {% endif %}
}