server {
  listen 443      ssl default_server;
  listen [::]:443 ssl default_server;
  http2 on;

$(if [ "$git_public_fqdn" != "$fqdn" ]; then
    cat <<EOF
  ssl_certificate         ${acme_cert_dir}/nginx.crt;
  ssl_certificate_key     ${acme_cert_dir}/nginx.key;
  ssl_trusted_certificate ${acme_cert_dir}/nginx.ca.crt;
EOF
  else
    cat <<EOF
  ssl_certificate      ${git_https_cert};
  ssl_certificate_key  ${git_https_key};
EOF
fi)

  auth_gss_keytab ${git_keytab};
  auth_gss_allow_basic_fallback ${git_basic_auth};

  add_header Strict-Transport-Security "max-age=63072000" always;

  root ${cgit_webroot};
  try_files \$uri @cgit;

  location ~ '^.+/(HEAD|info/refs|objects/(info/[^/]+|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))|git-(upload|receive)-pack)$' {
    auth_gss on;
    satisfy any;
$(printf '    deny %s;\n' $kerberized_cidrs)
    allow all;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME /usr/local/libexec/gitolite/gitolite-shell;
    fastcgi_param PATH_INFO \$uri;
    fastcgi_param GIT_HTTP_EXPORT_ALL '';
    fastcgi_param GIT_PROJECT_ROOT ${gitolite_home}/repositories;
    fastcgi_param GITOLITE_HTTP_HOME ${gitolite_home};
    fastcgi_param PATH /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin;
    fastcgi_pass unix:${gitolite_fcgiwrap_socket};
  }

  location @cgit {
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME ${cgit_webroot}/cgit.cgi;
    fastcgi_param SCRIPT_NAME '';
    fastcgi_param PATH_INFO \$uri;
    fastcgi_pass unix:${cgit_fcgiwrap_socket};
  }
}