http2 on;
ssl_certificate /usr/share/nginx/ssl/tls.crt;
ssl_certificate_key /usr/share/nginx/ssl/tls.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

server {
    listen 8080;
    server_name  balsillie.net balsillie.email openpgpkey.balsillie.net openpgpkey.balsillie.email;
    return 301 https://$host$request_uri;
}

server {
    listen 8080 default_server;
    return 444;
}

server {
    listen 8443 ssl;
    server_name balsillie.net;

    location = /michael.vcf {
        default_type application/octet-stream;
        root   /usr/share/nginx/html;
    }

    location = /.well-known/mta-sts.txt {
        default_type application/octet-stream;
        root /usr/share/nginx/html/mta-sts/balsillie_net;
    }

    location /.well-known/host-meta {
        return 301 https://social.balsillie.net$request_uri;
    }

    location /.well-known/webfinger {
        return 301 https://social.balsillie.net$request_uri;
    }

    location /.well-known/nodeinfo {
        return 301 https://social.balsillie.net$request_uri;
    }

    location /.well-known/matrix/ {
        default_type application/json;
        root /usr/share/nginx/html;
    }

    location / {
        return 444;
    }
}

server { 
    listen 8443 ssl;
    server_name balsillie.email;

    location = /.well-known/mta-sts.txt {
        default_type application/octet-stream;
        root /usr/share/nginx/html/mta-sts/balsillie_email;
    }

    location / {
        return 444;
    }
}

server {
    listen 8443 ssl;
    server_name openpgpkey.balsillie.net openpgpkey.balsillie.email;

    location /.well-known/openpgpkey {
        default_type application/octet-stream;
        root /usr/share/nginx/html;
    }

    location / {
        return 444;
    }
}

server {
    listen 8443 ssl default_server;
    ssl_reject_handshake on;
}