{{ ansible_managed | comment }}

{{ synapse_server_domain }} {
    encode gzip

    header {
        # enable HSTS
        Strict-Transport-Security "max-age=31536000; preload;"

        # disable clients from sniffing the media type
        X-Content-Type-Options nosniff

        # clickjacking protection
        X-Frame-Options DENY

        # keep referrer data off of HTTP connections
        Referrer-Policy no-referrer-when-downgrade

        # Server name removing
        -Server
    }

    reverse_proxy synapse:8008
}

{{ synapse_domain }} {
    encode gzip

    header {
        # enable HSTS
        Strict-Transport-Security "max-age=31536000; preload;"

        # disable clients from sniffing the media type
        X-Content-Type-Options nosniff

        # clickjacking protection
        X-Frame-Options DENY

        # keep referrer data off of HTTP connections
        Referrer-Policy no-referrer-when-downgrade

        # Server name removing
        -Server
    }

    ## matrix client/server delegation
    handle_path /.well-known/matrix/* {

        header Access-Control-Allow-Origin *

        ## `Content-Type: application/json` isn't required by the matrix spec
        ## but some browsers (firefox) and some other tooling might preview json
        ## content prettier when they are made aware via Content-Type
        header Content-Type application/json

        respond /client `{ "m.homeserver": { "base_url": "https://{{ synapse_server_domain }}" } }`

        respond /server `{ "m.server": "{{ synapse_server_domain }}:443" }`

        ## return http/404 if nothing matches
        respond 404
    }
}