upstream vaultwarden-default {
  zone vaultwarden-default 64k;
  server 192.168.1.36:8080;
  keepalive 2;
}

# See: https://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name vaultwarden.aldon.fr;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl http2;
    server_name vaultwarden.aldon.fr;

    ssl_certificate     /etc/letsencrypt/live/aldon.fr/fullchain.pem;
    ssl_certificate_key   /etc/letsencrypt/live/aldon.fr/privkey.pem;
    
    add_header Strict-Transport-Security "max-age=31536000;";
    
    #ssl_trusted_certificate /etc/letsencrypt/live/vaultwarden.aldon.fr/fullchain.pem;

    client_max_body_size 525M;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    location / {
      proxy_pass http://vaultwarden-default;
    }

    # Optionally add extra authentication besides the ADMIN_TOKEN
    # Remove the comments below `#` and create the htpasswd_file to have it active
    #
    #location /admin {
    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    #  auth_basic "Private";
    #  auth_basic_user_file /path/to/htpasswd_file;
    #
    #  proxy_pass http://vaultwarden-default;
    #}
}