server.modules += ( "mod_cgi", "mod_rewrite", "mod_openssl", "mod_setenv" )

$SERVER["socket"] == ":443" {
    ssl.engine                    = "enable"
    ssl.pemfile                   = "/etc/certs/fullchain1.pem"
    ssl.privkey                   = "/etc/certs/privkey1.pem"

    setenv.add-response-header = (
	"Strict-Transport-Security"=>"max-age=63072000; includeSubdomains", 
	"X-Frame-Options"=>"DENY",
	"X-XSS-Protection"=>"1; mode=block",
	"X-Content-Type-Options" => "nosniff",
	"Content-Security-Policy" => "script-src 'self'; object-src 'self'",
	"X-Permitted-Cross-Domain-Policies" => "none",
	"Referrer-Policy" => "no-referrer")

    server.name          = "git.terminaldweller.com"
    server.document-root = "/usr/share/webapps/cgit/"

    index-file.names     = ( "cgit.cgi" )
    cgi.assign           = ( "cgit.cgi" => "" )
    mimetype.assign      = ( ".css" => "text/css" )
    url.rewrite-once     = (
        "^/cgit/cgit.css"   => "/cgit.css",
        "^/cgit/cgit.png"   => "/cgit.png",
        "^/([^?/]+/[^?]*)?(?:\?(.*))?$"   => "/cgit.cgi?url=$1&$2",
    )
}