# HTTP → HTTPS redirect + ACME challenge server { listen 80; listen [::]:80; server_name ${DOMAIN}; # Let's Encrypt webroot challenge location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } # HTTPS — main entry point server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name ${DOMAIN}; # ── TLS ─────────────────────────────────────────────────────────────────── ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # ── Security headers ────────────────────────────────────────────────────── add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header Referrer-Policy strict-origin-when-cross-origin always; # ── Geo-block check ─────────────────────────────────────────────────────── # The watcher renders a location block per repo that checks the per-repo # variable and returns the configured status + body when blocked. include /etc/nginx/geoblock/repo_locations.conf; # ── Proxy to Forgejo ────────────────────────────────────────────────────── location / { proxy_pass http://forgejo:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Git push/pull can involve large objects client_max_body_size 512m; proxy_request_buffering off; proxy_buffering off; proxy_read_timeout 600s; proxy_send_timeout 600s; } }