upstream nextcloud_backend {
{% for i in range(1, nextcloud_scale_factor + 1) %}
  server nextcloud-nextcloud-{{ i }}:9000;
{% endfor %}
}

server {
  listen 80;
  server_name _;

  # Serve Nextcloud files
  root /var/www/html;
  index index.php index.html /index.php$request_uri;

  include /etc/nginx/mime.types;
  types { application/javascript mjs; }

  client_max_body_size {{ nextcloud_upload_limit_mb }}M;
  fastcgi_buffers 64 4k;

  # Security headers
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag "noindex, nofollow" always;
  add_header X-Permitted-Cross-Domain-Policies "none" always;
  add_header Referrer-Policy "no-referrer" always;


  # DAV
  location = /.well-known/carddav { return 308 https://$host/remote.php/dav; }
  location = /.well-known/caldav  { return 308 https://$host/remote.php/dav; }

  # Federated sharing / Webfinger / Nodeinfo / Host-meta
  # Forward them to index.php so Nextcloud can handle them
  location = /.well-known/webfinger  { return 308 https://$host/index.php$request_uri; }
  location = /.well-known/nodeinfo   { return 308 https://$host/index.php$request_uri; }
  location = /.well-known/host-meta  { return 308 https://$host/index.php$request_uri; }
  location = /.well-known/host-meta.json { return 308 https://$host/index.php$request_uri; }
  location = /robots.txt { allow all; log_not_found off; access_log off; }
  # denies
  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; }
  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; }

  location / {
    try_files $uri $uri/ /index.php$request_uri;
  }

  location ~ \.php(?:$|/) {
    # Only allow the front controller
    try_files $fastcgi_script_name =404;

    include fastcgi_params;
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;

    # Pass to PHP-FPM in the nextcloud container
    fastcgi_pass nextcloud_backend;

    # Tell Nextcloud it’s HTTPS (double proxy) and behind proxies
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;

    # Preserve original host/proto from outer proxies via Traefik
    fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
    fastcgi_param HTTP_X_FORWARDED_HOST  $http_host;
    fastcgi_param HTTP_X_FORWARDED_FOR   $proxy_add_x_forwarded_for;
    fastcgi_param HTTP_X_REAL_IP $remote_addr;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
  }

  # Caching for static assets
  location ~ \.(?:css|js|mjs|woff2?|svg|gif|map)$ {
    try_files $uri /index.php$request_uri;
    expires 6M;
    access_log off;
  }
  location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
    try_files $uri /index.php$request_uri;
    expires 6M;
    access_log off;
  }
}