# xyzzy.ee
# www.xyzzy.ee

server {
    server_name xyzzy.ee;
    root /var/xyzzy/html/plugh;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl default_server; # managed by Certbot
    listen 443 ssl default_server; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/xyzzy.ee/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xyzzy.ee/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # x-clacks-overhead
    include /etc/nginx/sites.d/clacks.conf;

    # https://ssl-config.mozilla.org/
    add_header Strict-Transport-Security "max-age=15724800" always;

    # https://observatory.mozilla.org
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
}

server {
    server_name www.xyzzy.ee;
    root /var/xyzzy/html/plugh;
    index index.html;

    location ~ /\.well-known {
        allow all;
    }

    location ~ / {
        return 301 $scheme://xyzzy.ee$request_uri;
    }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/xyzzy.ee/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xyzzy.ee/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # x-clacks-overhead
    include /etc/nginx/sites.d/clacks.conf;

    # https://ssl-config.mozilla.org/
    add_header Strict-Transport-Security "max-age=15724800" always;

    # https://observatory.mozilla.org
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
}

server {
    # x-clacks-overhead
    include /etc/nginx/sites.d/clacks.conf;

    if ($host = xyzzy.ee) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name xyzzy.ee;
    root /var/xyzzy/html/plugh;
    index index.html;
    return 404; # managed by Certbot
}

server {
    # x-clacks-overhead
    include /etc/nginx/sites.d/clacks.conf;

    if ($host = www.xyzzy.ee) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name www.xyzzy.ee;
    root /var/xyzzy/html/plugh;
    index index.html;
    return 404; # managed by Certbot
}

server {
    # x-clacks-overhead
    include /etc/nginx/sites.d/clacks.conf;

    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://xyzzy.ee$request_uri;
}