server {
        listen 0.0.0.0:443 ssl;
	listen 0.0.0.0:443 quic;
        listen [2603:c021:c001:31fa:780:b000:0:415]:443 ssl;
	listen [2603:c021:c001:31fa:780:b000:0:415]:443 quic;

	http2 on;
	http3 on;

        server_name matrix.gnu.moe;

        ssl_certificate /etc/letsencrypt/live/gnu.moe/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/gnu.moe/privkey.pem;

        access_log off;
        error_log /var/log/nginx/matrix.error.log;

	add_header Alt-Svc 'h3=":443"; ma=86400';

        # media endpoints
        location ~* ^(/_matrix/media/|/_matrix/client/v1/media/|/_matrix/federation/v1/media/) { proxy_pass http://127.0.0.1:8209; }
        location ~* ^(/_synapse/admin/v1/purge_media_cache$|/_synapse/admin/v1/room/.*/media.*$|/_synapse/admin/v1/user/.*/media.*$|/_synapse/admin/v1/media/.*$|/_synapse/admin/v1/quarantine_media/.*$|/_synapse/admin/v1/users/.*/media$) {
                proxy_pass http://127.0.0.1:8209;
                include acl_matrix_admin.conf;
        }
        
        # federation endpoints
        location ~* ^(/_matrix/federation/v1/event/|/_matrix/federation/v1/state/|/_matrix/federation/v1/state_ids/|/_matrix/federation/v1/backfill/|/_matrix/federation/v1/get_missing_events/|/_matrix/federation/v1/publicRooms|/_matrix/federation/v1/query/|/_matrix/federation/v1/make_join/|/_matrix/federation/v1/make_leave/|/_matrix/federation/(v1|v2)/send_join/|/_matrix/federation/(v1|v2)/send_leave/) { proxy_pass http://127.0.0.1:8210; }
        location ~* ^(/_matrix/federation/v1/make_knock/|/_matrix/federation/v1/send_knock/|/_matrix/federation/(v1|v2)/invite/|/_matrix/federation/v1/event_auth/|/_matrix/federation/v1/timestamp_to_event/|/_matrix/federation/v1/exchange_third_party_invite/|/_matrix/federation/v1/user/devices/|/_matrix/key/v2/query|/_matrix/federation/v1/hierarchy/|/_matrix/federation/v1/send/) { proxy_pass http://127.0.0.1:8210; }
        
        # common endpoints
        location ~* ^(/_matrix|/_synapse/client) { proxy_pass http://127.0.0.1:8208; }

        # metrics endpoitns
        location = /_syn/media {
                proxy_pass http://127.0.0.1:8301/_synapse/metrics;
                include acl_matrix_admin.conf;
        }
        location = /_syn/fedi {
                proxy_pass http://127.0.0.1:8302/_synapse/metrics;
                include acl_matrix_admin.conf;
        }
        location = /_syn/bgj {
                proxy_pass http://127.0.0.1:8303/_synapse/metrics;
                include acl_matrix_admin.conf;
        }

        # admin endpoints
        location ~* ^(/_synapse/metrics|/_synapse/admin|/health) {
                proxy_pass http://127.0.0.1:8208;
                include acl_matrix_admin.conf;
        }

        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host:$server_port;
        proxy_http_version 1.1;
        client_max_body_size 32M;

	location /.well-known/matrix/server { return 200 '{ "m.server": "matrix.gnu.moe:443" }\n'; }
	location /.well-known/matrix/client { return 200 '{ "m.homeserver": { "base_url": "https://matrix.gnu.moe" } }\n'; }

	include robots.conf;

	location / { return 418; }
}