{% set domain = "liwt.net" %}
#
# nginx/sites: aaronly.radicale.conf
# CalDAV/CardDAV server: dav.{{ domain }}
#
# Aaron LI
# 2017-04-27
#

{% if radicale is defined and domains_hascert[domain] %}
server {
    listen            443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  dav.{{ domain }};

    # SSL/TLS Certificate kindly provided by Let's Encrypt
    ssl_certificate      {{ web.ssl_root }}/{{ domain }}/fullchain;
    ssl_certificate_key  {{ web.ssl_root }}/{{ domain }}/key;

    # Reverse proxy to Radicale
    location / {
        auth_basic            "Radicale requires auth ...";
        auth_basic_user_file  /usr/local/etc/nginx/auth/radicale.passwd;

        # XXX: Hack to support "username[@domain]"-style login names
        # (NOTE: the "@domain" part is optional, so $username is always set)
        if ($remote_user ~ ^(?<user_>[^@/]+)(@[^/]+)?$) {
            set  $username  $user_;
        }

        # WSGI interface: http://radicale.org/wsgi/
        include      uwsgi_params;
        uwsgi_param  REMOTE_USER  $username;
        uwsgi_pass   unix:/tmp/uwsgi-radicale.sock;
    }
}
{% endif %}