server {
    listen 80;
    server_name web.facere.cc _;

    root /usr/share/nginx/html;
    index facere.html index.html;

    charset utf-8;

    # Deny access to repo metadata, deploy scripts/configs, and dotfiles
    location ~ /\.git { deny all; return 404; }
    location ~ /\.    { deny all; return 404; }
    location ^~ /deploy/   { deny all; return 404; }
    location = /deploy-pull.sh { deny all; return 404; }

    # The HTML entrypoint must NOT cache long — it carries the
    # ?v=… cache-busting tags that everything else relies on.
    location = / {
        add_header Cache-Control "public, max-age=0, must-revalidate" always;
        expires off;
        try_files /facere.html =404;
    }
    location = /facere.html {
        add_header Cache-Control "public, max-age=0, must-revalidate" always;
        expires off;
    }

    location / {
        try_files $uri $uri/ /facere.html;
    }

    # CSS/JS: long-cache + immutable. URLs are versioned with ?v=… so
    # each deploy is a brand-new key; anything served here will never
    # need to be re-fetched in a session.
    location ~* \.(?:css|js|jsx)$ {
        expires 1y;
        add_header Cache-Control "public, max-age=31536000, immutable";
        types { text/css css; application/javascript js; application/javascript jsx; }
        try_files $uri =404;
    }

    # Static media: long cache + immutable (filenames change when content does).
    location ~* \.(?:png|jpe?g|gif|webp|avif|svg|mp4|webm|woff2?|ttf|otf|ico)$ {
        expires 1y;
        add_header Cache-Control "public, max-age=31536000, immutable";
        try_files $uri =404;
    }

    gzip on;
    gzip_types text/plain text/css application/javascript application/json image/svg+xml;
    gzip_min_length 1024;
    gzip_vary on;

    access_log /var/log/nginx/facere.access.log;
    error_log  /var/log/nginx/facere.error.log;
}