server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name tild.es;

    keepalive_timeout 5;

    add_header Strict-Transport-Security "max-age={{ hsts_max_age }}; includeSubDomains; preload" always;

    # Are these security headers unnecessary when we're just redirecting?
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Xss-Protection "1; mode=block" always;
    add_header Referrer-Policy "same-origin" always;

    # Exact location match to redirect the root url to tildes.net
    location = / {
        return 301 https://tildes.net;
    }

    # Serve the same robots.txt file as on the site itself
    location = /robots.txt {
        root {{ app_dir }}/static;
    }

    # Will match all addresses *except* exact matches above
    location / {
        # Strip any trailing slash while redirecting
        rewrite ^/(.*)/?$ https://tildes.net/shortener/$1 permanent;
    }
}