server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name {{ tpl .Values.elementWebFQDN . }};

    ssl_certificate      /etc/letsencrypt/live/{{ tpl .Values.elementWebFQDN . }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ tpl .Values.elementWebFQDN . }}/privkey.pem;

    client_max_body_size {{ .Values.max_filesize_in_mb}}m;

    location /.well-known/matrix/server {
      default_type application/json;
      return 200 '{"m.server": "{{ tpl .Values.synapseFQDN . }}:443" }';
    }
    location /.well-known/matrix/client {
      default_type application/json;
      return 200 '{ "m.homeserver": { "base_url": "https://{{ tpl .Values.synapseFQDN . }}" } }';
    }

    location / {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;

      add_header X-Frame-Options SAMEORIGIN;
      add_header X-Content-Type-Options nosniff;
      add_header X-XSS-Protection "1; mode=block";
      add_header Content-Security-Policy "frame-ancestors 'none'";

      proxy_pass http://localhost:8080;
    }
}