server {
    server_name rpm.lair.cafe;
    listen 443 ssl;
    http2 on;

    ssl_certificate /etc/letsencrypt/live/rpm.lair.cafe/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/rpm.lair.cafe/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ecdh_curve X25519:secp256r1:secp384r1;

    root /var/www/rpm;

    types {
        application/x-rpm rpm;
        application/xml xml;
    }
    default_type application/octet-stream;

    location /assets/ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    location ~ \.rpm$ {
        expires 30d;
        add_header Cache-Control "public, immutable";
    }

    location ~ /repodata/ {
        expires -1;
        add_header Cache-Control "no-cache, must-revalidate";
    }

    location ~ packages\.json$ {
        expires 5m;
        add_header Cache-Control "public, must-revalidate";
    }

    location ~ \.gpg$ {
        default_type text/plain;
    }

    location / {
        try_files $uri $uri/ /index.html;
    }
}