map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name plural.cafe;
  root /home/mastodon/live/public;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name ~^(?<subdomain>\w+)\.plural\.cafe$;
  server_tokens off;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;

  resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s;
  resolver_timeout 5s;

  ssl_dhparam /etc/ssl/certs/dhparam4096.pem;

  ssl_certificate     /etc/letsencrypt/live/plural.cafe/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/plural.cafe/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/plural.cafe/chain.pem;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 0;

  gzip off;

  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header Referrer-Policy "same-origin";
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

  return 301 "https://plural.cafe/@${subdomain}";
}

server {
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  server_name plural.cafe;
  server_tokens off;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL;
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;

  resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s;
  resolver_timeout 5s;

  ssl_dhparam /etc/ssl/certs/dhparam4096.pem;

  ssl_certificate     /etc/letsencrypt/live/plural.cafe/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/plural.cafe/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/plural.cafe/chain.pem;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 0;

  root /home/mastodon/live/public;

  gzip off; # anti-BREACH

  add_header X-Terms-Of-Service "https://plural.cafe/about/more";
  add_header X-Source-Code "https://github.com/pluralcafe/mastodon";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header Content-Security-Policy "frame-ancestors 'none'; base-uri 'self'; form-action 'self'; default-src 'none'; script-src 'self'; object-src 'self'; style-src 'self' https://fonts.googleapis.com/ 'sha256-deDIoPlRijnpfbTDYsK+8JmDfUBmpwpnb0L/SUV8NeU=' 'sha256-dsU/1vqKDGkqSAJVJCzaxo3alnWrTU/iQqFREt5QB+g='; img-src * data: https://d2rm2wyqhf92ej.cloudfront.net/; media-src 'self' data: https://d2rm2wyqhf92ej.cloudfront.net/; worker-src 'self'; frame-src https://player.vimeo.com https://youtube.com https://www.youtube.com; font-src 'self' data: https://fonts.gstatic.com/; connect-src 'self' wss://plural.cafe";
  add_header Referrer-Policy "same-origin";
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

  location / {
    try_files $uri @proxy;
  }

  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    try_files $uri @proxy;
  }

  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://127.0.0.1:3000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";

    proxy_pass http://127.0.0.1:4000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  error_page 403 /assets/403.html;
  error_page 404 /assets/404.html;
  error_page 410 /assets/410.html;
  error_page 422 /assets/422.html;
  error_page 500 501 502 503 504 /assets/500.html;
}