server {
    server_name deb.krd.sh;

    include snip.d/listen-http;

    include snip.d/https-alt-svc;

    access_log off;
    log_not_found off;

    root /var/www/deb;

    include snip.d/empty-favicon;

    location /
    {
        return 301 https://$host$request_uri;

        include snip.d/https-alt-svc;
        include snip.d/http-security-headers;
    }

    ## allow APT work as usual

    location ~*/(?:InRelease|Release|Packages|Sources)$
             ~*/[^/]+/.*[^/]+\.(?:asc|dsc)$
    {
        try_files $uri $uri/ =404;
        default_type text/plain;
    }

    ## /*/dists/*/Release.gpg
    location ~*^/[^/]+/.*[^/]+\.(?:gpg)$
    {
        try_files $uri $uri/ =404;
    }

    location ~*\.(?:bz2|deb|gz|tar|udeb|xz|Z|zip|zstd?)$
             ## various tarball file name extensions (sic!)
             ~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$
    {
        try_files $uri $uri/ =404;
        include snip.d/disable-comp;
    }
}

server {
    server_name deb.krd.sh;

    include snip.d/listen-https;
    include snip.d/ssl-krd.sh;

    access_log off;
    log_not_found off;

    root /var/www/deb;
    autoindex on;

    include snip.d/empty-favicon;

    location /
    {
        try_files $uri $uri/ =404;

        include snip.d/https-alt-svc;
        include snip.d/http-security-headers;
    }

    location ~*/(?:InRelease|Release|Packages|Sources)$
             ~*\.(?:asc|build|buildinfo|changes|dsc|list|log|sources)$
    {
        try_files $uri $uri/ =404;
        default_type text/plain;
    }

    location ~*\.(?:bz2|deb|gz|tar|udeb|xz|Z|zip|zstd?)$
             ## various tarball file name extensions (sic!)
             ~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$
    {
        try_files $uri $uri/ =404;
        include snip.d/disable-comp;
    }

    ## "meta" usually doesn't contain sensitive data
    # include snip.d/deny-dotfiles;
    location ~*^/[^/]+/\.meta/
    {
        try_files $uri $uri/ =404;
        default_type text/plain;
    }
}