# Cache and security rules for static site (included by both dev and bio server blocks)
# Security headers are handled upstream by Traefik

# HTML: no-cache (always revalidate)
location ~ \.html$ {
    add_header Cache-Control "no-cache, must-revalidate";
    expires 0;
}

# CSS and JavaScript: long cache with immutable (hashed filenames)
location ~* \.(css|js)$ {
    add_header Cache-Control "public, max-age=31536000, immutable";
    access_log off;
}

# Images: long cache (30 days)
location ~* \.(jpg|jpeg|png|gif|webp|avif)$ {
    add_header Cache-Control "public, max-age=2592000";
    access_log off;
}

# SVG images: long cache (30 days)
location ~* \.svg$ {
    add_header Cache-Control "public, max-age=2592000";
    add_header Content-Type image/svg+xml;
    access_log off;
}

# Fonts: long cache with immutable
location ~* \.(woff|woff2|ttf|otf|eot)$ {
    add_header Cache-Control "public, max-age=31536000, immutable";
    access_log off;
}

# Documents: medium cache (30 days)
location ~* \.(pdf|doc|docx)$ {
    add_header Cache-Control "public, max-age=2592000";
    access_log off;
}

# robots.txt and sitemap.xml: handled in default.conf with alias (variant-specific)

# favicon: long cache (30 days)
location = /favicon.svg {
    add_header Cache-Control "public, max-age=2592000";
    add_header Content-Type image/svg+xml;
    access_log off;
}

# .well-known (security.txt, ACME, etc.)
location ^~ /.well-known/ {
    add_header Cache-Control "public, max-age=86400";
}

# Deny hidden files
location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}