upstream xandikos {
    server 127.0.0.1:8080;
    # server unix:/run/xandikos.socket; # nginx will need write permissions here
}

server {
    server_name dav.example.com;

    # Service discovery, see RFC 6764
    location = /.well-known/caldav {
        return 307 $scheme://$host/user/calendars;
    }

    location = /.well-known/carddav {
        return 307 $scheme://$host/user/contacts;
    }

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
        proxy_buffering off;
        proxy_pass http://xandikos;
        auth_basic "Login required";
        auth_basic_user_file /etc/xandikos/htpasswd;
    }

    listen 443 ssl http2;
    listen [::]:443 ssl ipv6only=on http2;

    # use e.g. Certbot to have these modified:
    ssl_certificate /etc/letsencrypt/live/dav.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dav.example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
    if ($host = dav.example.com) {
        return 301 https://$host$request_uri;
    }

    listen 80 http2;
    listen [::]:80 http2;
    server_name dav.example.com;
    return 404;
}