{%- set auth = "blocked" -%}
{%- if pillar['nginx'][server]['https'] is defined -%}
  {%- if pillar['nginx'][server]['auth'] is defined-%}
    {%- set auth = pillar['nginx'][server]['auth'] -%}
  {%- endif -%}
{%- endif -%}
{%- set wildcard = "" -%}
{%- if pillar['nginx'][server]['wildcard'] is defined -%}
  {%- if pillar['nginx'][server]['wildcard'] -%}
    {%- set wildcard = "*." ~ server ~ ".actcur.com" -%}
  {%- endif -%}
{%- endif -%}

server {
  listen 443;
  server_name {{server}}.actcur.com {{wildcard}};

  resolver {{resolver}};
  set $backend "https://{{server}}.actcur.com";
  set $certbot "https://salt.actcur.com";

  ssl on;
  ssl_certificate /etc/nginx/certs/{{server}}.actcur.com/fullchain.pem;
  ssl_certificate_key /etc/nginx/certs/{{server}}.actcur.com/privkey.pem;
  ssl_session_cache shared:SSL:10m;
  client_max_body_size 1024m;

  location /.well-known/acme-challenge/ {
    proxy_pass $certbot;
    proxy_set_header Host $host;
  }

    {% set location="1" %}{% include 'roles/maintain/nginx-proxy/auth.conf' %}

{%- if auth != "blocked" %}

  location / {
    {% set location="2" %}{% include 'roles/maintain/nginx-proxy/auth.conf' %}
    proxy_pass $backend;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Ssl on;

{%- if pillar['nginx'][server]['proxy_headers'] is defined -%}
  {%- for header in pillar['nginx'][server]['proxy_headers'] %}
    proxy_set_header {{header}} {{pillar['nginx'][server]['proxy_headers'][header]}};
  {%- endfor %}
{%- endif %}

    # re-write redirects to http as to https, example: /home
    proxy_redirect http:// https://;
  }
{%- endif %}
  error_log /var/log/nginx/{{server}}_error.log;
  access_log /var/log/nginx/{{server}}_access.log;
}

{%- if pillar['nginx'][server]['http'] is defined-%}
  {%- if pillar['nginx'][server]['https']['auth'] is defined-%}
    {%- set auth = pillar['nginx'][server]['https']['auth'] -%}
  {%- else -%}
    {%- set auth = "blocked" -%}
  {%- endif -%}
server {
  listen 80;
  server_name {{server}}.actcur.com;

  resolver {{resolver}};
  set $backend "http://{{server}}.actcur.com";
  set $certbot "http://salt.actcur.com";
  client_max_body_size 1024m;
  location /.well-known/acme-challenge/ {
    proxy_pass $certbot;
    proxy_set_header Host $host;
  }

  location / {
    proxy_pass $backend;
    proxy_set_header Host $host;

    # re-write redirects to https as to http, example: /home
    proxy_redirect https:// http://;
  }

  error_log /var/log/nginx/{{server}}_error.log;
  access_log /var/log/nginx/{{server}}_access.log;
}
{%- endif -%}