{{ ansible_managed | comment }}

{{ monitoring_prometheus_domain }} {
  encode gzip

  header {
    # enable HSTS
    Strict-Transport-Security "max-age=31536000; preload;"

    # disable clients from sniffing the media type
    X-Content-Type-Options nosniff

    # clickjacking protection
    X-Frame-Options DENY

    # keep referrer data off of HTTP connections
    Referrer-Policy no-referrer-when-downgrade

    # Server name removing
    -Server
  }

  @validPrometheus {
    method POST
    path /api/v1/write
  }

  handle @validPrometheus {
    reverse_proxy prometheus:9090
{% if monitoring_prometheus_basic_auth is defined and monitoring_prometheus_basic_auth is iterable %}
    basicauth {
{% for item in monitoring_prometheus_basic_auth %}
      {{ item.username }} {{ item.hashed_password }}
{% endfor%}
    }
{% endif %}
  }

  handle {
    respond "Not Found" 404
  }
}