server {
	include sourcehut.conf;
	include port80.conf;
	server_name hg.sr.ht;
}

server {
	include sourcehut.conf;
	include port443.conf;
	include hg-ssl.conf;
	server_name hg.sr.ht;

	client_max_body_size 100M;

	location / {
		proxy_pass http://127.0.0.1:5010;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'" always;
		include web.conf;
	}

	location /query {
		proxy_pass http://127.0.0.1:5110;
		include graphql.conf;
	}

	location /static {
		root /usr/lib/$python/site-packages/hgsrht;
		expires 30d;
	}

	# Let clients reach pull bundles. We don't really need to lock this down even for
	# private repos because the bundles are named after the revision hashes... so someone 
	# would need to guess a SHA value to download anything.
	location ~ ^/[~^][a-z0-9_]+/[a-zA-Z0-9_.-]+/\.hg/bundles/.*$ {
		root /var/lib/mercurial;
	}

	# http(s) cloning auth.
	location = /authorize {
		proxy_pass http://127.0.0.1:5010;
		proxy_pass_request_body off;
		proxy_set_header Content-Length "";
		proxy_set_header X-Original-URI $request_uri;
	}

	# http(s) cloning download access.
	location ~ ^/[~^][a-z0-9_]+/[a-zA-Z0-9_.-]+/\.hg.*$ {
		auth_request /authorize;
		root /var/lib/mercurial;
	}
}