# xyzzy.fi
# www.xyzzy.fi

server {
    server_name xyzzy.fi;
    root /var/xyzzy/html;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/xyzzy.fi/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xyzzy.fi/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # https://ssl-config.mozilla.org/
    add_header Strict-Transport-Security "max-age=15724800" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/xyzzy.fi/chain.pem;
    resolver 9.9.9.9 8.8.8.8 1.1.1.1;
    resolver_timeout 5s;

    # https://observatory.mozilla.org
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
}

server {
    server_name www.xyzzy.fi;
    root /var/xyzzy/html;
    index index.html;

    location ~ /\.well-known {
        allow all;
    }

    location ~ / {
        return 301 $scheme://xyzzy.fi$request_uri;
    }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/xyzzy.fi/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xyzzy.fi/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # https://ssl-config.mozilla.org/
    add_header Strict-Transport-Security "max-age=15724800" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/xyzzy.fi/chain.pem;
    resolver 9.9.9.9 8.8.8.8 1.1.1.1;
    resolver_timeout 5s;

    # https://observatory.mozilla.org
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
}

server {
    if ($host = xyzzy.fi) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name xyzzy.fi;
    root /var/xyzzy/html;
    index index.html;
    return 404; # managed by Certbot
}

server {
    if ($host = www.xyzzy.fi) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name www.xyzzy.fi;
    root /var/xyzzy/html;
    index index.html;
    return 404; # managed by Certbot
}