user nginx nginx;
worker_processes 1;

error_log /var/log/nginx/error.log info;

events {
	worker_connections 1024;
	use epoll;
}

http {
	include /etc/nginx/mime.types.nginx;
	charset utf-8;
	types_hash_max_size 4096;
	default_type application/octet-stream;

	log_format main
		'$remote_addr - $remote_user [$time_local] '
		'"$request" $status $bytes_sent '
		'"$http_referer" "$http_user_agent" '
		'"$gzip_ratio" handler=$sent_http_handler';
	log_format i2pd
		'$remote_addr - $remote_user [$time_local] '
		'"$request" $status $bytes_sent '
		'"$http_referer" "$http_user_agent" '
		'"$gzip_ratio" '
		'"$http_host" "$http_x_i2p_destb32" "$http_x_i2p_desthash" "$http_x_i2p_destb64"';

	client_header_timeout 10m;
	client_body_timeout 10m;
	send_timeout 10m;

	connection_pool_size 256;
	client_header_buffer_size 1k;
	large_client_header_buffers 4 4k;
	request_pool_size 4k;

	gzip off;

	output_buffers 4 32k;
	postpone_output 1460;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	keepalive_timeout 75 20;

	ignore_invalid_headers on;

	index index.html;

	ssl_protocols TLSv1.3;
	ssl_ecdh_curve X25519:prime256v1:secp384r1;
	ssl_prefer_server_ciphers off;

	server {
		listen 80 default_server;
		listen [::]:80 default_server;

		server_name _;
		location / {
			return 301 https://$host$request_uri;
		}

		location /.well-known/ {
			root /var/www/localhost/htdocs;
		}
	}

	server {
		listen 51.222.150.227:443 ssl default_server;
		listen [2607:5300:401:2c01::c0de]:443 ssl default_server;
		server_name cgit.space;

		ssl_certificate /etc/letsencrypt/live/cgit.space/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/cgit.space/privkey.pem;

		include server.conf;
	}

	server {
		listen 172.20.133.164:443 ssl;
		listen [fd62:5e23:8905:3::2]:443 ssl;
		server_name cgit.dn42;

		ssl_certificate /etc/letsencrypt/live/cgit.dn42/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/cgit.dn42/privkey.pem;

		include server.conf;
	}

	server {
		listen 51.222.150.227:444 ssl default_server;
		listen [2607:5300:401:2c01::c0de]:444 ssl default_server;
		server_name cgit.space;
		ssl_certificate /etc/letsencrypt/live/cgit.space/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/cgit.space/privkey.pem;
		ssl_verify_client on;
		ssl_trusted_certificate mtls_trusted_cert.pem;
	}

	server {
		listen unix:/var/run/tor/cgitspace.sock;
		server_name cgitspacea7m5fmo5stfwxkykfbrjcecevl6z3xm5u7nfppuiigqoeyd.onion;

		include server.conf;
	}

	server {
		listen 127.0.0.1:3275;
		server_name cgit.i2p cgitiek6febqkrplowpeqssm6cur3fk6de76oajer7dqixw2pwkq.i2p cgitiek6febqkrplowpeqssm6cur3fk6de76oajer7dqixw2pwkq.b32.i2p;

		include server.conf;
	}

#	server {
#		listen unix:/var/run/tor/dn42.sock;
#		server_name dn422hid5ejv7p67nw3nvn3uoqhxrr57hsagg2yxwsn72vuxwgi5veyd.onion;
#
#		location / {
#			proxy_pass https://dn42.wiki;
#			proxy_set_header Host dn42.wiki;
#			proxy_set_header X-Real-IP $remote_addr;
#			proxy_ssl_server_name on;
#			#proxy_set_header X-Forwarded-For $remote_addr;
#		}
#	}
}