# builds.krathalan.net

server {
  # Files
  root /var/www/builds;
  index builds.html;
  error_page 404 /404.html;

  server_name builds.krathalan.net www.builds.krathalan.net;

  # This is where *.pkg.tar.zst{,.sig} files are
  location /x86_64/ {
    brotli off;
    gzip off;
    fancyindex on;
    fancyindex_exact_size off;
    fancyindex_localtime on;
    fancyindex_css_href "https://builds.krathalan.net/index.css";
  }

  listen [::]:443 ssl; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/builds.krathalan.net/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/builds.krathalan.net/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

  # Disable FLoC
  add_header Permissions-Policy interest-cohort=();

  # Turn on HSTS
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

  # https://securityheaders.com
  add_header Content-Security-Policy "default-src 'self'; img-src 'self' liberapay.com img.shields.io;" always;
  add_header X-Frame-Options "DENY" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Referrer-Policy "no-referrer" always;
}
server {
  if ($host = www.builds.krathalan.net) {
    return 301 https://$host$request_uri;
  } # managed by Certbot
  if ($host = builds.krathalan.net) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  listen 80 ;
  listen [::]:80 ;

  server_name builds.krathalan.net www.builds.krathalan.net;
  return 404; # managed by Certbot
}
