server {

    listen 80 ;
    listen [::]:80 ;

    server_name gitlist.patrikx3.com;

    error_log /var/log/nginx/gitlist.patrikx3.com-error.log;
    access_log /var/log/nginx/gitlist.patrikx3.com-access.log combined;
    root /var/www/gitlist.patrikx3.com/public;
    location ~ /.well-known {
        auth_basic off;
        auth_pam off;
        allow all;
        root /var/www/acme-challenge;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    return 301 https://$host$request_uri;
}


server {

    ssl on;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name gitlist.patrikx3.com;

    error_log /var/log/nginx/gitlist.patrikx3.com-error.log;
    access_log /var/log/nginx/gitlist.patrikx3.com-access.log combined;
    root /var/www/gitlist.patrikx3.com/public;

    ssl_certificate /root/acme/ssl/patrikx3.com/fullchain.cer;
    ssl_certificate_key /root/acme/ssl/patrikx3.com/patrikx3.com.key;

    # it uses the built in Linux security called PAM,
    # but you could use a
    # auth_basic on;
    # auth_basic_user_file /etc/nginx/.htpasswd;

    auth_pam "Restricted";
    auth_pam_service_name "nginx";

    limit_req zone=default_limit burst=1000;
    limit_conn default_limit_conn 100;

    location ~ /.well-known {
        auth_basic off;
        auth_pam off;
        allow all;
        root /var/www/acme-challenge;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    set $x_frame_options_policy 'self';
    add_header Strict-Transport-Security "max-age=31536000; " always;
    add_header X-Frame-Options "ALLOW-FROM gitlist.patrikx3.com";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "frame-ancestors $x_frame_options_policy";


    index index.php;

    location / {
        autoindex on;
        set $redirect_url $uri;
        try_files $uri $uri/ /index.php$is_args$query_string;
    }

    location = /index.php {
        include snippets/fastcgi-php.conf;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/var/run/php/php8.0-fpm-git.sock;
    }

    # static repo files for cloning over https
    location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ {
        root /my/git/repos;
    }

    # requests that need to go to git-http-backend
    location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
        proxy_read_timeout 900;
        fastcgi_read_timeout 900;
        uwsgi_read_timeout 900;

        client_max_body_size 20G;
        root /my/git/repos;
        fastcgi_pass unix:/var/run/fcgiwrap-git.socket;
        fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
        fastcgi_param PATH_INFO $uri;
        fastcgi_param GIT_PROJECT_ROOT $document_root;
        fastcgi_param GIT_HTTP_EXPORT_ALL "";
        fastcgi_param REMOTE_USER $remote_user;
        include fastcgi_params;
    }
}