infra/roles/gitea/templates/01-gitea.j2

map $request_uri $x_robots_tag {
    "~*/explore(.*)$"               "noindex";
    "~*/mirrors/(.*)/commit/(.*)$"  "noindex";
    "~*/mirrors/(.*)/projects(.*)$" "noindex";
    "~*/mirrors/(.*)/activity(.*)$" "noindex";
    "~*/mirrors/(.*)/releases(.*)$" "noindex";
    "~*/mirrors/(.*)/issues/(.*)$" "noindex";
}
server {

  listen 443 ssl http2;
  # listen   [::]:443 ssl; # listen for ipv6
  {% if inventory_hostname in wg_clients -%}
  listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
  {% endif -%}

  include /etc/nginx/sudo-known.conf;
  include listen-proxy-protocol.conf;
  include sec.conf;
  server_name {{ gitea_url }} {{ gitea_extra_urls | default([]) | join([" "]) }};

  # default value
  set $header_sudo_gitea "gitea";

  {% for item in ["/metrics"] -%}
  location {{ item }} {
     allow 127.0.0.1;
     allow {{ my_public_ips[inventory_hostname] }}/32;
     allow {{ my_public_ips[ansible_control_host] }}/32;
     allow {{ wireguard_cidr }};
     deny all;

    proxy_pass http://{{ bridgewithdns.gitea }}:{{ gitea_docker_port }};
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
  {% endfor %}

  location / {

      rewrite ^/LICENSE(.*)$ https://www.sudo.is/LICENSE.txt redirect;

      proxy_pass         http://{{ bridgewithdns.gitea }}:{{ gitea_docker_port }};

      proxy_redirect     off;
      proxy_set_header   Host $host;
      proxy_set_header   X-Real-IP $remote_addr;
      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header   X-Forwarded-Host $server_name;
      proxy_set_header   X-Forwarded-Proto $scheme;

      set $header_sudo_gitea "gitea";

      # ben/glados-tts generates a HUGE docker image
      client_max_body_size 7G;
      proxy_max_temp_file_size 2048m;
   }

   location /{{ gitea_team_org }}/issues {
       # relies on "port_in_direct off" from listen-proxy-protocol.conf
       set $header_sudo_gitea "redirect";
       return 302 "/{{ gitea_team_org }}/issues/";
   }
   {% for item in ['issues', 'wiki'] -%}
   location /{{ gitea_team_org }}/{{ item }}/ {
       proxy_pass         http://{{ bridgewithdns.gitea }}:{{ gitea_docker_port }}/{{ gitea_team_org }}/{{ gitea_issues_repo }}/{{ item }}/;

       proxy_redirect     off;
       proxy_set_header   Host $host;
       proxy_set_header   X-Real-IP $remote_addr;
       proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header   X-Forwarded-Host $server_name;
       proxy_set_header   X-Forwarded-Proto $scheme;
       set $header_sudo_gitea "gitea, {{ item }}";
   }
   {% endfor %}

   #location = /{{ myusername }} {
   #    return 302 https://{{ gitea_url }}/{{ myusername }}/;
   #}
   location /robots.txt {
       # gitea itself can also serve this file
       alias {{ gitea_user.home }}/robots.txt;
   }
   location /sitemap.xml {
       # gitea itself can also serve this file
       alias {{ gitea_user.home }}/sitemap.xml;
   }
   location /user/sso {
       return 302 /user/oauth2/{{ gitea_oidc_name }}?redirect_to=$arg_redirect_to;
   }

   location /user/forgot_password {
       return 302 https://{{ authelia_login_url }}/reset-password/step1;
   }

   {% if shieldsio_enabled -%}

   gzip_static off;
   gzip off;

   location = {{ shieldsio_path }} {
     return 302 {{ shieldsio_path }}/;
   }
   {# location /page-data {
    #   # wrong: /page-data/shieldsio/page-data.json
    #   # should be: {{ shieldsio_path }}/page-data/index/page-data.json
    #
    #   #rewrite '^/page-data{{ shieldsio_path }}(/.*)' '/page-data/index$1';
    #   return 302 {{ shieldsio_path }}$uri;
    # } #}

   location {{ shieldsio_path }}/ {
     rewrite '^{{ shieldsio_path }}(/.*)$' $1 break;

     proxy_set_header Accept-Encoding "";
     sub_filter 'href="/' 'href="{{ shieldsio_path }}/';
     sub_filter 'src="/' 'src="{{ shieldsio_path }}/';
     #sub_filter 'pagePath="/' 'pagePath="{{ shieldsio_path }}/';
     sub_filter_once off;
     sub_filter_types *;

     #sub_filter '\$\{\_\_PATH_PREFIX\_\_\}' '{{ shieldsio_path }}/';

     proxy_pass http://127.0.0.1:{{ shieldsio_port }};

     proxy_redirect     off;
     proxy_set_header   Host $host;
     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

     set $header_sudo_gitea "shields.io";
   }
   {% endif %}


   access_log /var/log/nginx/access_{{ gitea_url }}.log main;
   error_log /var/log/nginx/error_{{ gitea_url }}.log warn;

   ssl_certificate /usr/local/etc/certs/{{ gitea_url }}/fullchain.pem;
   ssl_certificate_key /usr/local/etc/certs/{{ gitea_url }}/privkey.pem;

   #add_header Referrer-Policy "no-referrer" always;
   #add_header X-Frame-Options "SAMEORIGIN" always;
   #add_header X-Permitted-Cross-Domain-Policies "none" always;
   #add_header X-XSS-Protection "1; mode=block" always;
   add_header SUDO-GITEA $header_sudo_gitea always;
   add_header X-Robots-Tag $x_robots_tag always;

   fastcgi_hide_header X-Powered-By;
}