# This requires the `stream` module.  This sections goes on the main
# nginx.conf or at least outside the `http` section.  Run `nginx -t` to
# test changes.
stream {
  server {
    # Listen on port 1965, with mandatory TLS.
    listen 1965 ssl;

    # Run only these protocols.
    ssl_protocols TLSv1.2 TLSv1.3;

    # Other TLS options could go here.

    # The variable $ssl_server_name dynamically loads a certificate for
    # any domain name that points to this server.
    # 
    # No need to send the full chain since Gemini clients only want to
    # validate the CommonName field.
    ssl_certificate /etc/letsencrypt/live/$ssl_server_name/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/$ssl_server_name/privkey.pem;

    # After TLS session is started, proxy everything to `gemini`.
    proxy_pass 127.0.0.1:19650;
  }
}