Listen 3081

<VirtualHost *:3081>
  ServerName {{ inventory_hostname }}
  ServerAdmin infra-root@opendev.org
  DocumentRoot /var/www/opendev.org

  <Directory /var/www/opendev.org/>
    Require all granted
    Order allow,deny
    Allow from all
  </Directory>

  AllowEncodedSlashes On

  ErrorLog ${APACHE_LOG_DIR}/gitea-ssl-error.log

  LogLevel warn

  LogFormat "%h:%{remote}p %A:%{proxy-source-port}n %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combinedport
  CustomLog ${APACHE_LOG_DIR}/gitea-ssl-access.log combinedport

  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  # Note: this list should ensure ciphers that provide forward secrecy
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on

  SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
  SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer

  SSLProxyEngine on

  <Location /.well-known/matrix/client>
    Header set Access-Control-Allow-Origin "*"
  </Location>

  Use UserAgentFilter
  # Disable x-forwarded- headers because gitea logging can't
  # parse them properly
  ProxyAddHeaders Off
  ProxyPass  /.well-known/ !
  ProxyPass  / https://{{ inventory_hostname }}:3000/ retry=0
  ProxyPassReverse / https://{{ inventory_hostname }}:3000/


</VirtualHost>