infra/roles/mainframe/templates/01-static.conf.j2

server {
    listen 443 ssl http2;
    {% if inventory_hostname in wg_clients -%}
    listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
    {% endif -%}

    charset utf-8;

    include listen-proxy-protocol.conf;
    server_name {{ static2_url }};

    ssl_certificate /usr/local/etc/certs/static.{{ domain }}/fullchain.pem;
    ssl_certificate_key /usr/local/etc/certs/static.{{ domain }}/privkey.pem;

    access_log /var/log/nginx/access_{{ static2_url }}.log main;
    error_log /var/log/nginx/error_{{ static2_url }}.log warn;

    {% for item in ["robots.txt", "keybase.txt"] -%}
    location /{{ item }} {
        add_header X-Robots-Tag "all" always;
        root /var/www/static.{{ domain }};
    }
    {% endfor %}

    location / {
        return 301 https://static.{{ domain }}$request_uri;
    }
}


server {
    listen 443 ssl http2;
    {% if inventory_hostname in wg_clients -%}
    listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
    {% endif -%}

    charset utf-8;

    include listen-proxy-protocol.conf;
    server_name static.{{ domain }};
    root /var/www/static.{{ domain }};

    # valid for both
    ssl_certificate /usr/local/etc/certs/static.{{ domain }}/fullchain.pem;
    ssl_certificate_key /usr/local/etc/certs/static.{{ domain }}/privkey.pem;

    autoindex on;
    autoindex_exact_size off;

    include /etc/nginx/sudo-known.conf;

    location ~* ^.+\.json$ {
        add_header Content-Type application/json;
    }

    location = /cv1.pdf {
        # good side effect, removes X-Robots-Tag header
        add_header "x-for-hire" "false";
        add_header X-Robots-Tag "all" always;
        add_header "Link" '<https://www.{{ domain }}/cv2.pdf>; rel="canonical"' always;
        rewrite ^/cv1.pdf$ https://www.{{ domain }}/cv1.pdf permanent;
    }

    {% for item in ["ardrand.pdf", "tsense.pdf"] %}
    location = /{{ item }} {
        add_header "Link" '<https://www.{{ domain }}/{{ item }}>; rel="canonical"' always;
        add_header X-Robots-Tag "all" always;
        rewrite ^/{{ item }}$ https://www.{{ domain }}/{{ item }} permanent;
    }
    {% endfor %}

    location = /ardrand.pdf. {
        add_header "Link" '<https://www.{{ domain }}/ardrand.pdf>; rel="canonical"' always;
        rewrite ^/ardrand.pdf\.$ https://www.{{ domain }}/ardrand.pdf permanent;
    }

    {% for item in ["sitemap.xml", "keybase.txt", "Found_Reykjavik.pdf", "Found_Reykjavik_144dpi.pdf"] -%}
    location = /{{ item }} {
        add_header "Link" '<https://static.{{ domain }}/{{ item }}>; rel="canonical"' always;
        add_header X-Robots-Tag "all" always;
    }
    {% endfor %}

    access_log /var/log/nginx/access_static.{{ domain }}.log main;
    error_log /var/log/nginx/error_static.{{ domain }}.log warn;

    ssl_session_timeout 5m;

    location = /robots.txt {
        if_modified_since off;
        expires off;
        add_header Last-Modified $date_gmt always;
        add_header Clear-Site-Data "cache" always;
        add_header Cache-Control 'no-store' always;
        add_header X-Robots-Tag "all" always;
    }
    add_header X-Robots-Tag "none" always;

    # for /assets
    #add_header X-Content-Type-Options "nosniff" always;
    #add_header X-Permitted-Cross-Domain-Policies "none" always;
    #add_header Referrer-Policy "no-referrer" always;
    #add_header X-Download-Options "noopen" always;
    #add_header X-Frame-Options "SAMEORIGIN" always;
    #add_header X-XSS-Protection "1; mode=block" always;

    add_header "Access-Control-Allow-Origin" "*" always;

}