# Minimal static site config (no TLS). Site is mounted at runtime.

server {
    listen       80;
    server_name  _;

    # Static root (mounted from host: ./site -> /usr/share/nginx/html)
    root   /usr/share/nginx/html;
    index  index.html;

    # Gzip for common text types
    gzip on;
    gzip_types text/plain text/css application/javascript application/json application/xml image/svg+xml;
    gzip_min_length 1024;
    gzip_comp_level 5;

    # Security headers (adjust per project needs)
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    # add_header Content-Security-Policy "default-src 'self'" always; # Consider tailoring CSP; may break 3rd-party assets

    # Default: serve files directly; 404 if missing
    location / {
        try_files $uri $uri/ =404;
    }

    # Long cache for static assets by extension
    location ~* \.(?:ico|css|js|mjs|gif|jpe?g|png|svg|webp|woff2?|ttf)$ {
        expires 30d;
        access_log off;
        add_header Cache-Control "public, max-age=2592000, immutable";
    }

    # Avoid caching HTML to ensure fresh content
    location ~* \.(?:html)$ {
        expires -1;
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }

    # Optional: enable basic status (restrict in production)
    # location /__status {
    #     stub_status;
    #     allow 127.0.0.1;
    #     deny all;
    # }
}