{{ ansible_header | comment }}

server {
    listen 80;
    listen [::]:80;

    server_name {{ glob_framadate.hostname }};

    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'";
    add_header Referrer-Policy "strict-origin";

    root {{ loc_framadate.path }};

    index index.php;

    location ~^/(\.git)/{
        deny all;
    }

    location ~ /\. {
        deny all;
    }

    location ~ ^/composer\.json.*$|^/composer\.lock.*$|^/php\.ini.*$|^/.*\.sh {
        deny all;
    }

    location /admin/ {
        auth_basic "Restricted access";
        auth_basic_user_file /etc/nginx/.htpasswd;

        location ~ \.php$ {
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include /etc/nginx/fastcgi_params;
            fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        }
        try_files $uri $uri/ =401;
    }

    location / {
        rewrite "^/admin$" "/admin/" permanent;

        # Clean URL
        rewrite "^/([a-zA-Z0-9-]+)$" "/studs.php?poll=$1" last;
        rewrite "^/([a-zA-Z0-9-]+)/action/([a-zA-Z_-]+)/(.+)$" "/studs.php?poll=$1&$2=$3" last;
        rewrite "^/([a-zA-Z0-9-]+)/vote/([a-zA-Z0-9]{16})$" "/studs.php?poll=$1&vote=$2" last;
        rewrite "^/([a-zA-Z0-9]{24})/admin$" "/adminstuds.php?poll=$1" last;
        rewrite "^/([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$" "/adminstuds.php?poll=$1&vote=$2" last;
        rewrite "^/([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)(/([A-Za-z0-9]+))?$" "/adminstuds.php?poll=$1&$2=$4" last;
        try_files $uri /index.php;
    }

    location ~ \.php$ {
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    }
}