server {
  listen 80;
  {% if is_production_vm %}
  server_name redmine.apidb.org;
  {% else %}
  server_name {{ ansible_fqdn }};
  {% endif %}
  return 301 https://$host$request_uri;
}

server {
  listen 443;
  {% if is_production_vm %}
  server_name redmine.apidb.org;
  {% else %}
  server_name {{ ansible_fqdn }};
  {% endif %}

  ssl    on;
  ssl_certificate     /etc/pki/tls/certs/{{ ansible_fqdn }}.pem;
  ssl_certificate_key /etc/pki/tls/certs/{{ ansible_fqdn }}.pem;
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!DSS:!DH+3DES;
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;

  server_tokens off;
  add_header X-Frame-Options SAMEORIGIN;

  root {{ redmine_root_dir }}/public;
  passenger_enabled on;
  client_max_body_size 50M;
}