infra/roles/mainframe/templates/01-static.conf.j2

server {
    listen 443 ssl http2;
    {% if inventory_hostname in wg_clients -%}
    listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
    {% endif -%}

    charset utf-8;

    include listen-proxy-protocol.conf;
    server_name static.{{ domain }} {{ static2_url }};
    root /var/www/static.{{ domain }};

    # valid for both
    ssl_certificate /usr/local/etc/certs/static.{{ domain }}/fullchain.pem;
    ssl_certificate_key /usr/local/etc/certs/static.{{ domain }}/privkey.pem;

    autoindex on;
    autoindex_exact_size off;

    include /etc/nginx/sudo-known.conf;

    location ~* ^.+\.json$ {
        add_header Content-Type application/json;
    }

    location = /cv1.pdf {
        # good side effect, removes X-Robots-Tag header
        add_header "x-for-hire" "false";
    }

    access_log /var/log/nginx/access_static.{{ domain }}.log main;
    error_log /var/log/nginx/error_static.{{ domain }}.log warn;

    ssl_session_timeout 5m;

    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
}