server {
	server_name ${GITEA_HOSTNAME} ${GITEA_HOSTNAME}.${DOMAIN_NAME};
	client_max_body_size 128m;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	gzip on;
	gzip_disable "msie6";

	proxy_read_timeout 1800s;

	location / {
		proxy_pass http://gitea:3000;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	# force login with OIDC
	location /user/login {
		return 302 https://${GITEA_HOSTNAME}.${DOMAIN_NAME}/user/oauth2/keycloak;
	}

	listen 443 ssl;
	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
	include /etc/nginx/includes/options-ssl-nginx.conf;
	include /etc/nginx/includes/challenge.conf;
	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
}