infra/roles/www/templates/01-sudo.is.conf.j2

server {
    server_name {%- for d in server_names %} www.{{ d }} {{ d }}{% endfor %};

    {% if inventory_hostname in wg_clients -%}
    listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
    {% endif -%}
    listen 443 ssl http2;

    include listen-proxy-protocol.conf;

    charset utf-8;
    root /var/www/www.{{ domain }};

    ssl_certificate /usr/local/etc/certs/www.{{ domain }}/fullchain.pem;
    ssl_certificate_key /usr/local/etc/certs/www.{{ domain }}/privkey.pem;

    autoindex on;
    autoindex_exact_size off;

    include /etc/nginx/authelia_internal.conf;

    # include /.well-known/ and /.sudo-known/ urls.
    include /etc/nginx/well-known.conf;
    include /etc/nginx/sudo-known.conf;

    location {{ coolcats }} {
        include /etc/nginx/require_auth.conf;
        autoindex on;
    }

    location ~* ^.+\.json$ {
        add_header Content-Type application/json;
    }

    {# location = /cv.pdf {
     #     proxy_pass https://{{ static_host }}/cv1.pdf;
     #     proxy_set_header Host {{ static_url }};
     #     proxy_hide_header "X-Robots-Tag";
     # } #}

    # sometimes clients misbehave and contact the top level domain when they
    # shouldnt so we point them to {{ matrix_url }} instead
    location ~* "^/_matrix.*" {
        return 301 https://{{ matrix_url }}$request_uri;
    }

    access_log /var/log/nginx/access_www.{{ domain }}.log main;
    error_log /var/log/nginx/error_www.{{ domain }}.log warn;

    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header Content-Security-Policy "frame-ancestors 'self' {{ cast_refer }} {%- for d in server_names %} https://*.{{ d }}{% endfor %};" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    # add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
}