upstream jellyfin {
  server {{ env "NOMAD_UPSTREAM_ADDR_jellyfin" }};
}

upstream zigbee2mqtt {
  server {{ env "NOMAD_UPSTREAM_ADDR_zigbee2mqtt" }};
}

upstream home-assistant {
  server {{ env "NOMAD_UPSTREAM_ADDR_home-assistant" }};
}

upstream syncthing {
  server {{ env "NOMAD_UPSTREAM_ADDR_syncthing" }};
}

upstream influx {
  server {{ env "NOMAD_UPSTREAM_ADDR_influx" }};
}

upstream grafana {
  server {{ env "NOMAD_UPSTREAM_ADDR_grafana" }};
}

upstream mainsail {
  server {{ env "NOMAD_UPSTREAM_ADDR_mainsail" }};
}

upstream matrix-synapse {
  server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }};
}

upstream matrix-mautrix-facebook {
  server {{ env "NOMAD_UPSTREAM_ADDR_matrix-mautrix-facebook" }};
}

server {
  listen 80;

  server_name jellyfin.in.redalder.org;

  include /local/jellyfin.conf;
}

server {
  listen 8096;

  server_name _;

  include /local/jellyfin.conf;
}


server {
  listen 80;

  server_name syncthing.in.redalder.org;

  include /local/security.conf;

  location / {
    include /local/headers.conf;

    proxy_pass http://syncthing/;
  }
}

server {
  listen 80;

  server_name hass.in.redalder.org;

  include /local/hass.conf;
}

server {
  listen 8086;

  server_name _;

  include /local/security.conf;

  include /local/hass.conf;
}

server {
  listen 80;

  server_name zigbee2mqtt.in.redalder.org;

  include /local/security.conf;

  location / {
    include /local/headers.conf;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_pass http://zigbee2mqtt/;
  }
}

server {
  listen 80;

  server_name grafana.in.redalder.org;

  # Grafana really doesn't like that CSP policy
  # include /local/security.conf;

  location / {
    include /local/headers.conf;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_pass http://grafana/;
  }
}

server {
  listen 80;

  server_name influx.in.redalder.org;

  # Influx doesn't like it either
  # include /local/security.conf;

  location / {
    include /local/headers.conf;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_pass http://influx/;
  }
}

server {
  listen 80;

  server_name mainsail.in.redalder.org;

  # Influx doesn't like it either
  include /local/security.conf;

  location / {
    include /local/headers.conf;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_pass http://mainsail/;
  }
}

server {
  listen 80;

  server_name matrix.in.redalder.org;

  location ~ ^/_synapse/admin  {
      # note: do not add a path (even a single /) after the port in `proxy_pass`,
      # otherwise nginx will canonicalise the URI and cause signature verification
      # errors.
      proxy_pass http://matrix-synapse;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $host;

      # Nginx by default only allows file uploads up to 1M in size
      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
      client_max_body_size 50M;

      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
      proxy_http_version 1.1;
  }

  location /mufb/ {
      proxy_pass http://matrix-mautrix-facebook$request_uri;
      proxy_set_header Host $http_host;
      proxy_buffering off;
  }
}

server {
  listen 80;

  server_name nomad.in.redalder.org;

  location / {
    proxy_pass http://blowhole.hosts.in.redalder.org:4646;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
  }
}

server {
  listen 80;

  server_name consul.in.redalder.org;

  location / {
    proxy_pass http://blowhole.hosts.in.redalder.org:8500;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
  }
}

server {
  listen 80;

  server_name vault.in.redalder.org;

  location / {
    proxy_pass http://blowhole.hosts.in.redalder.org:8200;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
  }
}

server {
  listen 80;
  listen 81;

  server_name _;
  include /local/security.conf;

  location / {
    return 404;
  }
}

# server {
#   listen 443;

#   server_name _;

#   include /local/security.conf;

#   location / {
#     return 404;
#   }
# }