server {
    listen 80;
    server_name simplenotes.be;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name simplenotes.be;

    ssl_certificate /etc/letsencrypt/live/simplenotes.be/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/simplenotes.be/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    gzip on;
    gzip_vary on;
    gzip_min_length 1400;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
    gzip_disable "MSIE [1-6]\.";

    location ~* \.(css|js)$ {
        root   /usr/share/nginx/html;
        expires 1m;
        add_header Cache-Control "public, max-age=2628000";
    }

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        # FIXME disable inlines in webpack
        add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://cdn.jsdelivr.net;";

        add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "DENY" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Referrer-Policy "origin" always;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location /api/ {
        rewrite  ^/api/(.*)  /$1 break;
        proxy_pass http://api:8081/;
    }

}