server {
	listen 80;
	listen [::]:80;

	server_name {{ pretix_domain }};

	location /.well-known/acme-challenge {
		default_type "text/plain";
		alias /var/www/acme-challenge;
	}

	location / {
		return 301 https://{{ pretix_domain }}$request_uri;
	}
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name {{ pretix_domain }};

	ssl_certificate_key /etc/nginx/ssl/{{ pretix_domain }}.key;
	ssl_certificate /etc/nginx/ssl/{{ pretix_domain }}.crt;

	add_header Referrer-Policy same-origin;
	add_header X-Content-Type-Options nosniff;

	location / {
		proxy_pass http://localhost:8345;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto https;
		proxy_set_header Host $http_host;
	}

	location /media/ {
		alias /opt/pretix/data/media/;
		expires 7d;
		access_log off;
	}

	location ^~ /media/cachedfiles {
		deny all;
		return 404;
	}

	location ^~ /media/invoices {
		deny all;
		return 404;
	}

	location /static/ {
		alias /opt/pretix/venv/lib/python3.9/site-packages/pretix/static.dist/;
		access_log off;
		expires 365d;
		add_header Cache-Control "public";
	}
}