ffho-salt-public/nginx/ff-frontend.conf

#
# FF Frontend configuration (Salt managed)
#

{%- set acme_thumbprint = salt['pillar.get']('acme:thumbprint', False) %}

{%- for domain, config in pillar.get('frontend', {}).items()|sort if 'file' not in config %}
  {%- set https = domain in salt['pillar.get']('cert', {}) and salt['pillar.get']('frontend:' ~ domain ~ ':https', True) %}
  {%- set http = salt['pillar.get']('frontend:' ~ domain ~ ':http', not https) %}
  {%- set host = salt['pillar.get']('frontend:' ~ domain ~ ':host', domain) %}

#
# {{ domain }}
server {
  {%- if http %}
	listen 80{% if http == 'default_server' %} default_server{% endif %};
	listen [::]:80{% if http == 'default_server' %} default_server{% endif %};
  {%- endif %}
  {%- if https %}
	listen 443{% if https == 'default_server' %} default_server{% endif %};
	listen [::]:443{% if https == 'default_server' %} default_server{% endif %};
  {%- endif %}

  {#- set server_name #}
  {%- if 'server_name' in config %}
	server_name {{ config.server_name }};
  {%- elif 'domains' in config %}
    {%- set domains = config.domains %}
    {%- do domains.append(domain) %}
	server_name ~^({{ domains|join('|') }})$;
  {%- else %}
	server_name "{{ domain }}";
  {%- endif %}

	access_log /var/log/nginx/{{ domain }}.access.log;
	error_log /var/log/nginx/{{ domain }}.error.log;

  {%- if https %}
	ssl on;
	ssl_certificate /etc/ssl/certs/{{ domain }}.cert.pem;
	ssl_certificate_key /etc/ssl/private/{{ domain }}.key.pem;
  {%- endif %}

  {%- if 'proxy_pass' in config %}
	location / {
		proxy_pass		{{ config.proxy_pass }};
		proxy_redirect		default;
		proxy_set_header	Host "{{ host }}";
		proxy_set_header	X-Forwarded-For $remote_addr;
		include			/etc/nginx/ffho.d/proxy-headers.conf;
	}
  {%- elif 'redirect' in config %}
	location / {
		return 302 {{ config.redirect }};
	}
  {%- elif 'location' in config %}
    {%- for location, loc_conf in config.location.items()|sort %}
	location {{ location }} {
      {%- if 'proxy_pass' in loc_conf %}
        {%- set loc_host = salt['pillar.get']('frontend:' ~ domain ~ ':location:' ~ location ~ ':host', host) %}
		proxy_pass		{{ loc_conf.proxy_pass }};
		proxy_redirect		default;
		proxy_set_header	Host "{{ loc_host }}";
		proxy_set_header	X-Forwarded-For $remote_addr;
		include			/etc/nginx/ffho.d/proxy-headers.conf;
      {%- elif 'redirect' in loc_conf %}
		return 302 {{ loc_conf.redirect }};
      {%- endif %}
	}
    {% endfor %}
  {%- endif %}

  {%- if acme_thumbprint %}
	location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
		default_type text/plain;
		return 200 "$1.{{ acme_thumbprint }}";
	}
  {%- endif %}
}
{%- endfor %}