server {
	add_header Content-Security-Policy "base-uri 'self'; style-src 'self' 'unsafe-inline'; default-src 'none'; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
	add_header X-Content-Type-Options nosniff always;
	add_header X-Xss-Protection "0" always;
	add_header Referrer-Policy no-referrer always;
	add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
	add_header Cross-Origin-Embedder-Policy require-corp always;
	add_header Cross-Origin-Opener-Policy same-origin always;
	add_header Cross-Origin-Resource-Policy same-origin always;
	listen unix:/var/run/nginx.sock default_server;
	root /var/www/html;
	index index.php;
	server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion;
	location / {
		try_files $uri $uri/ =404;
	}
	location ~ ^/mail/squirrelmail/.git {
		return 403;
	}
	rewrite /.well-known/openpgpkey/hu /mail/openpgpkey_wkd.php last;
	location ~ ^/mail/squirrelmail/.*\.php$ {
		add_header Content-Security-Policy "base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self'; default-src 'none'; img-src 'self' data: https://*; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
		add_header X-Content-Type-Options nosniff always;
		add_header X-Xss-Protection "0" always;
		add_header Referrer-Policy no-referrer always;
		add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
		add_header Cross-Origin-Embedder-Policy require-corp always;
		add_header Cross-Origin-Opener-Policy same-origin always;
		add_header Cross-Origin-Resource-Policy same-origin always;
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
		expires off;
	}
	location ~ \.php$ {
		add_header Referrer-Policy no-referrer always;
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
		expires off;
	}
}
server {
	add_header Content-Security-Policy "base-uri 'self'; style-src 'self' 'unsafe-inline'; default-src 'none'; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
	add_header X-Content-Type-Options nosniff always;
	add_header X-Xss-Protection "0" always;
	add_header Referrer-Policy no-referrer always;
	add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
	add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always;
	add_header Expect-CT "max-age=86400, enforce" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
	add_header Cross-Origin-Embedder-Policy require-corp always;
	add_header Cross-Origin-Opener-Policy same-origin always;
	add_header Cross-Origin-Resource-Policy same-origin always;
        listen [::]:443 ssl proxy_protocol http2;
	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
	root /var/www/html;
	index index.php;
	server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion danwin1210.de;
	location / {
		try_files $uri $uri/ =404;
	}
	location ~ ^/mail/squirrelmail/.git {
		return 403;
	}
	rewrite /.well-known/openpgpkey/hu /mail/openpgpkey_wkd.php last;
	location ~ ^/mail/squirrelmail/.*\.php$ {
		add_header Content-Security-Policy "base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self'; default-src 'none'; img-src 'self' data: https://*; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
		add_header X-Content-Type-Options nosniff always;
		add_header X-Xss-Protection "0" always;
		add_header Referrer-Policy no-referrer always;
		add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
		add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always;
		add_header Expect-CT "max-age=86400, enforce" always;
		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
		add_header Cross-Origin-Embedder-Policy require-corp always;
		add_header Cross-Origin-Opener-Policy same-origin always;
		add_header Cross-Origin-Resource-Policy same-origin always;
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
		expires off;
	}
	location ~ \.php$ {
		add_header Referrer-Policy no-referrer always;
		add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always;
		add_header Expect-CT "max-age=86400, enforce" always;
		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
		expires off;
	}
}