server {
  listen 443 ssl;
  server_name {{cookiecutter.domain}};
  add_header X-Clacks-Overhead "GNU Terry Pratchett";

  access_log /var/log/nginx/moin_{{cookiecutter.directory_name}}.access.log;

  {% if cookiecutter.access == "university only" %}
  # Access is only allowed from the internal university network
  allow 132.230.0.0/16;
  allow 192.52.0.0/16;
  allow 10.0.0.0/8;
  deny all;
  {% endif %}

  # ssl configuration
  # ssl key and certificate
  ssl_certificate /etc/ssl/uni-fr/live/{{cookiecutter.directory_name}}/fullchain.pem;
  ssl_certificate_key /etc/ssl/uni-fr/keys/{{cookiecutter.directory_name}}.key;
  # ssl protocols and ciphers
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;
  ssl_prefer_server_ciphers on;
  # use a strong diffy helman elliptic curve
  ssl_dhparam /etc/ssl/nginx/dhparam2048.pem;
  ssl_ecdh_curve secp384r1;
  # add HSTS header
  add_header Strict-Transport-Security "max-age=31536000";

  location /HonigTopf {
    add_header Content-Type image/gif;
    alias /var/www/moin/static/honeypot.gif;
  }

  location ^~ /moin_static/ {
    alias /var/www/moin_static/;
  }

  location ^~ /static/ {
    alias /var/www/moin/static/;
  }

  location / {
    try_files $uri @moin;
  }

  location @moin {
    include uwsgi_params;
    uwsgi_pass unix:/tmp/moin.sock;
  }
}