################################################################################
# This file was generated by Ansible for {{ansible_fqdn}}
# Do NOT modify this file by hand!
################################################################################

{% if nextcloud_install_tls and nextcloud_tls_enforce %}
{% for domain in nextcloud_trusted_domain %}
<VirtualHost *:80>
  ServerName {{ domain }}
  Redirect permanent / https://{{ domain | ansible.utils.ipwrap }}/
</VirtualHost>
{% endfor %}
{% else %}
<VirtualHost *:80>
  ServerName {{ nextcloud_trusted_domain[0] }}
{% for index in range(1, nextcloud_trusted_domain|length) %}
  ServerAlias {{ nextcloud_trusted_domain[index]}}
{% endfor %}
  DocumentRoot {{ nextcloud_webroot }}
  {% if (nextcloud_max_upload_size_in_bytes|int) <= 2147483647-%}
  LimitRequestBody {{ nextcloud_max_upload_size_in_bytes }}
  {% endif -%}
  <Directory {{ nextcloud_webroot }}>
    Allow from all
    Satisfy Any
    Options +FollowSymlinks
    AllowOverride All

   <IfModule mod_dav.c>
    Dav off
   </IfModule>

   SetEnv HOME {{ nextcloud_webroot }}
   SetEnv HTTP_HOME {{ nextcloud_webroot }}

  </Directory>
</VirtualHost>
{% endif %}

{% if nextcloud_install_tls %}
<VirtualHost *:443>
  ServerName {{ nextcloud_trusted_domain[0] }}
{% for index in range(1, nextcloud_trusted_domain|length) %}
  ServerAlias {{ nextcloud_trusted_domain[index]}}
{% endfor %}
  DocumentRoot {{ nextcloud_webroot }}
  {% if (nextcloud_max_upload_size_in_bytes|int) <= 2147483647-%}
  LimitRequestBody {{ nextcloud_max_upload_size_in_bytes }}
  {% endif -%}
  SSLEngine on
  SSLCertificateFile      {{ nextcloud_tls_cert_file }}
  SSLCertificateKeyFile   {{ nextcloud_tls_cert_key_file }}
{% if nextcloud_tls_cert_chain_file is defined %}
  SSLCertificateChainFile {{ nextcloud_tls_cert_chain_file }}
{% endif %}

  # enable HTTP/2, if available
  Protocols h2 http/1.1

{% if nextcloud_hsts is string %}
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "{{ nextcloud_hsts }}"
  </IfModule>
{% endif %}

  <Directory {{ nextcloud_webroot }}>
    Allow from all
    Satisfy Any
    Options +FollowSymlinks
    AllowOverride All

   <IfModule mod_dav.c>
    Dav off
   </IfModule>

   SetEnv HOME {{ nextcloud_webroot }}
   SetEnv HTTP_HOME {{ nextcloud_webroot }}

  </Directory>
</VirtualHost>
{% endif %}

{% if nextcloud_install_tls %}
{% if nextcloud_mozilla_modern_ssl_profile %}
# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
{% else %}
# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
{% endif %}

SSLHonorCipherOrder     off
# SSLSessionTickets       off

SSLCompression          off

# OCSP stapling
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)
{% endif %}