# Inferencium - xa000-1
# Nginx - Configuration - Inferencium - Internal - Source
# Version: 0.1.0

# Copyright 2023 Jake Winters
# SPDX-License-Identifier: BSD-3-Clause


# Redirect (unencrypted)
server {

	## General
	server_name						src.int.inferencium.net;
	listen							80;
#	listen							[::]:80;

	## Location
	location / {
		return						301 https://$host$request_uri;
	}

}


# Server (TLS)
server {

	## General
	server_name						src.int.inferencium.net;
	listen							443 ssl;
#	listen							[::]:443 ssl;
	http2							on;

	## Location
	location / {
		proxy_pass					http://unix:/run/gitea/gitea.sock;
		proxy_set_header			Host $host;
		proxy_set_header			X-Real-IP $remote_addr;
		proxy_set_header			X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header			X-Forwarded-Proto $scheme;
	}

	## Security
	ssl_certificate					/etc/ssl/nginx/inferencium-int/fullchain.pem;
	ssl_certificate_key				/etc/ssl/nginx/inferencium-int/privkey.pem;
	ssl_protocols					TLSv1.3;
	ssl_early_data					off;
	ssl_ciphers						"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
	ssl_conf_command				Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
	ssl_conf_command				Options PrioritizeChaCha;
	ssl_prefer_server_ciphers		on;
	ssl_ecdh_curve					x25519:secp256r1;
	ssl_stapling					on;
	ssl_stapling_verify				on;
#	add_header						Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; script-src 'none'; connect-src 'none'; frame-src 'none'; style-src 'self'; font-src 'self'";
	add_header						Referrer-Policy no-referrer;
	add_header						Strict-Transport-Security "max-age=126200000; always";
	add_header						X-Content-Type-Options nosniff;
	add_header						X-Frame-Options "DENY";
	add_header						Set-Cookie "Path=/;Secure;HttpOnly";
	ignore_invalid_headers			on;

}