etc-configs/nginx/conf.d/mail.zzls.xyz.conf

server {
	access_log /var/log/nginx/mail.zzls.xyz.log combined;
	error_log /var/log/nginx/mail.zzls.xyz.error;

	root /var/www/mail;
	index index.html index.php;

	server_name mail.zzls.xyz;
	include configs/general.conf;

	location ^~ /baikal {
		root /opt/baikal/html;
		index index.php;
		if (!-e $request_filename) { rewrite ^ /baikal/index.php last; }
		rewrite ^/.well-known/caldav /dav.php redirect;
		rewrite ^/.well-known/carddav /dav.php redirect;

		location ~ /(\.ht|Core|Specific|config) {
			deny all;
			return 404;
		}

		location ~ \.php$ {
			if (!-f $request_filename) { return 404; }
			try_files $uri =404;
			include fastcgi_params;
			fastcgi_split_path_info  ^(.+\.php)(.*)$;
			fastcgi_pass unix:/run/php/php8.2-fpm.sock;
			fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
			fastcgi_param  PATH_INFO        $fastcgi_path_info;
		}
	}

#	location @baikal {
#		rewrite /baikal/(.*)$ /baikal/index.php?/$1 last;
#	}
	location /radicale/ {
		proxy_pass           http://127.0.0.1:40001/;
		proxy_set_header     X-Script-Name /radicale;
		proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header     X-Remote-User $remote_user;
		proxy_set_header     Host $http_host;
	}

	listen 443 ssl http2;
	include configs/ssl.conf;
	add_header X-XSS-Protection          "1; mode=block" always;
	add_header X-Content-Type-Options    "nosniff" always;
	add_header X-Frame-Options           "sameorigin" always;
	add_header Referrer-Policy           "no-referrer-when-downgrade" always;
#add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
	add_header Permissions-Policy        "interest-cohort=()" always;
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

}
server {
	if ($host = mail.zzls.xyz) {
		return 301 https://$host$request_uri;
	}
	server_name mail.zzls.xyz;
	listen 80;
	return 404; # managed by Certbot
}