# {{ ansible_managed }}

server {
	listen {{ vpn_listen_address }}:{{ https_port }} ssl;
	ssl_certificate /etc/ssl/localcerts/nginx.pem;
	ssl_certificate_key /etc/ssl/localcerts/nginx.key;
	ssl_protocols TLSv1.2;
	ssl_ciphers HIGH:!aNULL:!MD5;

	access_log /var/log/nginx/vpn.log;
	error_log /var/log/nginx/vpn_error.log;

	location /radicale/ {
		proxy_pass https://127.0.0.1:{{ radicale_app_port }}/;

		proxy_set_header     X-Script-Name /radicale;
		proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header     X-Remote-User $remote_user;
		proxy_pass_header    Authorization;

		auth_basic           "Radicale - Password Required";
		auth_basic_user_file /etc/nginx/radicale/htpasswd;

		proxy_ssl_certificate /etc/ssl/localcerts/radicale/client_cert.pem;
		proxy_ssl_certificate_key /etc/ssl/localcerts/radicale/client_key.pem;
		proxy_ssl_trusted_certificate /etc/ssl/localcerts/radicale/server_cert.pem;
	}
}