Switch to nginx-proxy

.env.example

@@ -7,6 +7,7 @@ USER_PASSWORD=
 DOMAIN=scarif.local
 LOCAL_IP=192.168.10.10
 SSH_KEY= # Will be added to authorized keys
+COMPOSE_PROFILES=prod
 
 #
 # Database settings

docker-compose.yml

@@ -1,10 +1,3 @@
-# Options for building certificates
-x-certs: &certs
-  image: paulczar/omgwtfssl
-  restart: "no"
-  volumes:
-    - /opt/ssl:/certs
-
 x-logging: &logging
   logging:
     driver: "local"
@@ -13,19 +6,24 @@ x-logging: &logging
       max-file: "2"
 
 services:
-  change:
+  # change:
-    <<: *logging
+  #   <<: *logging
-    container_name: change
+  #   profiles: ["prod"]
-    image: node:alpine
+  #   container_name: change
-    build: ./change-game
+  #   image: node:alpine
-    environment:
+  #   build: ./change-game
-      - PORT=9000
+  #   environment:
-    networks:
+  #     - PORT=9000
-      - nginx
+  #     - VIRTUAL_HOST=rec.${DOMAIN}
-    volumes:
+  #     - CERT_NAME=${DOMAIN}
-      - change:/change/public
+  #     - VIRTUAL_PORT=9000
+  #   networks:
+  #     - nginx
+  #   volumes:
+  #     - change:/change/public
 
   foundry:
+    profiles: ["prod"]
     <<: *logging
     image: felddy/foundryvtt:release
     volumes:
@@ -45,13 +43,18 @@ services:
       - CONTAINER_PATCHES=/data/patches
       - FOUNDRY_UID=1000
       - FOUNDRY_GID=1000
+      - VIRTUAL_HOST=rec.${DOMAIN}
+      - CERT_NAME=${DOMAIN}
+      - VIRTUAL_PORT=30000
+      - VIRTUAL_PATH=/foundry
     networks:
       - nginx
 
   nextcloud:
+    profiles: ["prod"]
     <<: *logging
     build: ./nextcloud
-    image: nextcloud
+    image: nextcloud:31-fpm-alpine
     restart: unless-stopped
     user: 1000:1000
     volumes:
@@ -59,6 +62,10 @@ services:
       - /mnt/tower/stardust:/var/www/html/data
       - /mnt/tower/foundry:/var/www/foundry
     environment:
+      - VIRTUAL_HOST=tower.${DOMAIN}
+      - CERT_NAME=${DOMAIN}
+      - VIRTUAL_PORT=9000
+      - VIRTUAL_PROTO=fastcgi
       - REDIS_HOST=redis
       - MYSQL_HOST=db
       - MYSQL_PASSWORD=${DB_PASSWORD}
@@ -88,12 +95,16 @@ services:
       - "office.${DOMAIN}:${LOCAL_IP}" 
 
   collabora:
+    profiles: ["prod", "dev"]
     <<: *logging
     image: collabora/code
     restart: unless-stopped
     cap_add:
       - MKNOD
     environment:
+      - VIRTUAL_HOST=office.${DOMAIN}
+      - CERT_NAME=${DOMAIN}
+      - VIRTUAL_PORT=9980
       - "DONT_GEN_SSL_CERT=True"
       - domain=tower.${DOMAIN}
       - cert_domain=office.${DOMAIN}
@@ -108,28 +119,14 @@ services:
       - "tower.${DOMAIN}:${LOCAL_IP}"
       - "office.${DOMAIN}:${LOCAL_IP}"
 
-  homebox:
-    <<: *logging
-    image: ghcr.io/hay-kot/homebox:latest
-    restart: unless-stopped
-    environment:
-      - HBOX_LOG_LEVEL=info
-      - HBOX_LOG_FORMAT=text
-      - HBOX_WEB_MAX_UPLOAD_SIZE=10
-      - HBOX_OPTIONS_ALLOW_REGISTRATION=false
-      - HBOX_MAILER_HOST=${MAIL_HOST}
-      - HBOX_MAILER_PORT=${MAIL_PORT}
-      - HBOX_MAILER_USERNAME=${MAIL_USER}
-      - HBOX_MAILER_PASSWORD=${MAIL_PASSWORD}
-    volumes:
-      - homebox:/data/
-    networks:
-      - nginx
-
   gitea:
+    profiles: ["prod", "dev"]
     <<: *logging
     image: gitea/gitea:1
     environment:
+      - VIRTUAL_HOST=labs.${DOMAIN}
+      - CERT_NAME=${DOMAIN}
+      - VIRTUAL_PORT=3000
       - "APP_NAME=Labs: Where the good stuff happens"
       - RUN_MODE=prod
       - DOMAIN=labs.${DOMAIN}
@@ -158,6 +155,7 @@ services:
       - db
 
   minecraft:
+    profiles: ["prod"]
     <<: *logging
     image: itzg/minecraft-server
     tty: true
@@ -176,6 +174,7 @@ services:
       - minecraft:/data
 
   mc-backup:
+    profiles: ["prod"]
     <<: *logging
     image: itzg/mc-backup
     depends_on:
@@ -193,53 +192,15 @@ services:
       - minecraft:/data:ro
       - /mnt/tower/backups/minecraft:/backups
 
-  tt-rss:
-    <<: *logging
-    image: cthulhoo/ttrss-fpm-pgsql-static:latest
-    restart: unless-stopped
-    environment:
-      - TTRSS_SELF_URL_PATH=https://intel.${DOMAIN}
-      - TTRSS_DB_USER=${DB_USER}
-      - TTRSS_DB_NAME=scarif
-      - TTRSS_DB_PASS=${DB_PASSWORD}
-      - TTRSS_DB_HOST=psqldb
-        #- AUTO_CREATE_USER=${TTRSS_USER}
-        #- AUTO_CREATE_USER_PASS=${TTRSS_USER_PASS}
-        #- ADMIN_USER_ACCESS_LEVEL=-2
-    volumes:
-      - tt-rss:/var/www/html
-      - ./tt-rss/config.d:/opt/tt-rss/config.d:ro
-    depends_on:
-      - psqldb
-    networks:
-      - db
-      - nginx
-
-  tt-rss-updater:
-    <<: *logging
-    image: cthulhoo/ttrss-fpm-pgsql-static:latest
-    restart: unless-stopped
-    environment:
-      - TTRSS_SELF_URL_PATH=https://intel.${DOMAIN}
-      - TTRSS_DB_USER=${DB_USER}
-      - TTRSS_DB_NAME=scarif
-      - TTRSS_DB_PASS=${DB_PASSWORD}
-      - TTRSS_DB_HOST=psqldb
-    volumes:
-      - tt-rss:/var/www/html
-      - ./tt-rss/config.d:/opt/tt-rss/config.d:ro
-    depends_on:
-      - tt-rss
-      - psqldb
-    command: /opt/tt-rss/updater.sh
-    networks:
-      - db
-
   navidrome:
+    profiles: ["prod"]
     <<: *logging
     image: deluan/navidrome:latest
     restart: unless-stopped
     environment:
+      - VIRTUAL_HOST=radio.${DOMAIN}
+      - CERT_NAME=${DOMAIN}
+      - VIRTUAL_PORT=4533
       - ND_SCANSCHEDULE=1h
       - ND_LOGLEVEL=info
       - ND_SESSIONTIMEOUT=24h
@@ -251,15 +212,17 @@ services:
       - nginx
 
   pihole:
+    profiles: ["prod"]
     <<: *logging
     image: pihole/pihole:latest
     ports:
       - "53:53/tcp"
       - "53:53/udp"
     environment:
-      TZ: "Europe/London"
+      - VIRTUAL_HOST=net.${DOMAIN}
-      WEBPASSWORD: ${PIHOLE_PASSWORD}
+      - CERT_NAME=${DOMAIN}
-      VIRTUAL_HOST: net.${DOMAIN}
+      - TZ="Europe/London"
+      - WEBPASSWORD=${PIHOLE_PASSWORD}
     volumes:
       - "/docker/pihole/etc-pihole:/etc/pihole"
       - "/docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
@@ -267,22 +230,8 @@ services:
     networks:
       - nginx
 
-  pdf2audiobook:
-    <<: *logging
-    build: ./pdf-to-audiobook
-    image: pdf2audiobook:latest
-    container_name: pdf2audiobook
-    working_dir: /app
-    volumes:
-      - ./pdf-to-audiobook:/app
-      - /mnt/tower/stardust/chris/files/Library:/books:ro
-      - /mnt/tower/stardust/chris/files/Audiobooks:/audio
-    environment:
-      - OPENAI_API_KEY=${OPENAI_API_KEY}
-      - OPENAI_API_BASE=${OPENAI_API_BASE:-https://aihubmix.com/v1}
-      - OPENAI_MODEL=${OPENAI_MODEL:-aihubmix-Llama-3-3-70B-Instruct}
-
   jitsi:
+    profiles: ["prod"]
     <<: *logging
     image: jitsi/web:stable
     restart: unless-stopped
@@ -291,6 +240,9 @@ services:
       - ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
       - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
     environment:
+      - VIRTUAL_HOST=comms.${DOMAIN}
+      - VIRTUAL_PORT=80
+      - CERT_NAME=${DOMAIN}
       - AMPLITUDE_ID
       - ANALYTICS_SCRIPT_URLS
       - ANALYTICS_WHITELISTED_EVENTS
@@ -435,6 +387,7 @@ services:
 
   # XMPP server
   prosody:
+    profiles: ["prod"]
     <<: *logging
     image: jitsi/prosody:stable
     restart: unless-stopped
@@ -532,6 +485,7 @@ services:
 
   # Focus component
   jicofo:
+    profiles: ["prod"]
     <<: *logging
     image: jitsi/jicofo:stable
     restart: unless-stopped
@@ -581,6 +535,7 @@ services:
 
   # Video bridge
   jvb:
+    profiles: ["prod"]
     <<: *logging
     image: jitsi/jvb:stable
     restart: unless-stopped
@@ -627,6 +582,7 @@ services:
 
 
   db:
+    profiles: ["prod", "dev"]
     <<: *logging
     image: mariadb
     command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed
@@ -642,41 +598,40 @@ services:
       - db
 
   redis:
+    profiles: ["prod", "dev"]
     image: redis:alpine
     restart: always
     networks:
       - redis
 
   nginx:
-    <<: *logging
+    profiles: ["prod", "dev"]
-    image: nginx:alpine
+    image: nginxproxy/nginx-proxy
     restart: always
+    ports:
+      - "80:80"
+      - "443:443"
     volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
       - /opt/ssl:/etc/nginx/certs:ro
-      - ./nginx/nginx.conf.template:/etc/nginx/conf.d/nginx.conf.template
+      - ./nginx-proxy/vhost.d/labs_location:/etc/nginx/vhost.d/labs.${DOMAIN}_location:ro
-      - ./nginx/generate_conf.sh:/docker-entrypoint.d/generate_conf.sh
+      - ./nginx-proxy/vhost.d/office:/etc/nginx/vhost.d/office.${DOMAIN}:ro
+      - ./nginx-proxy/vhost.d/rec:/etc/nginx/vhost.d/rec.${DOMAIN}:ro
+      - ./nginx-proxy/vhost.d/tower_location_override:/etc/nginx/vhost.d/tower.${DOMAIN}_location_override:ro
+      - ./nginx-proxy/vhost.d/tower:/etc/nginx/vhost.d/tower.${DOMAIN}:ro
+      - ./nginx-proxy/conf.d/custom_proxy.conf:/etc/nginx/conf.d/custom_proxy.conf:ro
       - nextcloud:/var/www/html/nextcloud:ro
       - ./christmas:/var/www/html/christmas:ro
       - tt-rss:/var/www/html/tt-rss:ro
-      - change:/var/www/html/change:ro
-    environment:
-      - DOMAIN=${DOMAIN}
-    depends_on:
-      - nextcloud
-      - gitea
-      - collabora
-      - pihole
-      - foundry
-      - tt-rss
-      - homebox
-      - navidrome
-    ports:
-      - 443:443
     networks:
       - nginx
 
   certs:
-    <<: *certs
+    profiles: ["dev"]
+    image: paulczar/omgwtfssl
+    restart: "no"
+    volumes:
+      - /opt/ssl:/certs
     environment:
       - SSL_SUBJECT=${DOMAIN}
       - CA_SUBJECT=chris@${DOMAIN}
@@ -684,27 +639,11 @@ services:
       - SSL_CSR=/certs/${DOMAIN}.csr
       - SSL_CERT=/certs/${DOMAIN}.crt
 
-  psqldb:
-    <<: *logging
-    image: postgres:12-alpine
-    restart: unless-stopped
-    environment:
-      - POSTGRES_USER=${DB_USER}
-      - POSTGRES_PASSWORD=${DB_PASSWORD}
-      - POSTGRES_DB=scarif
-    volumes:
-      - psqldb:/var/lib/postgresql/data
-    networks:
-      - db
-
 volumes:
   db:
-  psqldb:
-  tt-rss:
   gitea:
   nextcloud:
   foundry:
-  homebox:
   navidrome:
   minecraft:
   change:

nextcloud/Dockerfile

@@ -3,30 +3,30 @@ FROM nextcloud:30-fpm-alpine
 RUN set -ex; \
     \
     apk add --no-cache \
-        ffmpeg \
+    ffmpeg \
-        #imagemagick \
+    #imagemagick \
-        procps \
+    procps \
-        supervisor \
+    supervisor \
     ;
 
 RUN set -ex; \
     \
     apk add --no-cache --virtual .build-deps \
-        $PHPIZE_DEPS \
+    $PHPIZE_DEPS \
-        krb5-dev \
+    krb5-dev \
-        openssl-dev \
+    openssl-dev \
-        bzip2-dev \
+    bzip2-dev \
     ; \
     \
     docker-php-ext-install \
-        bz2 \
+    bz2 \
     ; \
     \
     runDeps="$( \
-        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
+    scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
-            | tr ',' '\n' \
+    | tr ',' '\n' \
-            | sort -u \
+    | sort -u \
-            | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+    | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
     apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
     apk del .build-deps
@@ -34,7 +34,7 @@ RUN set -ex; \
 RUN mkdir -p \
     /var/log/supervisord \
     /var/run/supervisord \
-;
+    ;
 
 RUN addgroup -S -g 1000 nextcloud; \
     adduser -S -u 1000 -G nextcloud nextcloud; \

nginx/conf.d/custom_proxy.conf

@@ -0,0 +1,20 @@
+# server {
+#     listen 443 ssl http2;
+#
+#     ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
+#     ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
+#
+#     server_name christmas.${DOMAIN};
+#
+#     gzip_types text/plain text/css application/json application/x-javascript
+#         text/xml application/xml application/xml+rss text/javascript;
+#
+#     root "/var/www/html/christmas";
+#
+#     location / {
+#         try_files $uri.html $uri /default.html;
+#     }
+# }
+
+proxy_buffering off;
+

nginx/nginx.conf.template

@@ -376,7 +376,6 @@ http {
         client_max_body_size 300M;
 
         location /foundry {
-          
             # Set proxy headers
             proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -385,23 +384,22 @@ http {
             # These are important to support WebSockets;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "Upgrade";
-          
             proxy_pass http://foundry-handler;
         }
 
-	location ~ ^/change/(socket\.io|peer) {
+        location ~ ^/change/(socket\.io|peer) {
-       	    proxy_pass http://change-handler;
+                proxy_pass http://change-handler;
-	    proxy_http_version 1.1;
+            proxy_http_version 1.1;
-	    proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Upgrade $http_upgrade;
-	    proxy_set_header Connection $proxy_connection;
+            proxy_set_header Connection $proxy_connection;
-	    proxy_set_header Host $host;
+            proxy_set_header Host $host;
 
-	    proxy_buffering off;
+            proxy_buffering off;
-	    proxy_redirect off;
+            proxy_redirect off;
-	    proxy_connect_timeout 90s;
+            proxy_connect_timeout 90s;
-	    proxy_send_timeout 90s;
+            proxy_send_timeout 90s;
-	    proxy_read_timeout 90s;
+            proxy_read_timeout 90s;
-	}
+        }
 
         location /change {
 

nginx/vhost.d/labs_location

@@ -0,0 +1,6 @@
+if ($http_origin ~* (https?://(?:www\.)?5e\.tools|https?://(?:www\.)?rec\.scarif\.space)) {
+    add_header 'Access-Control-Allow-Origin' "$http_origin";
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+    add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
+}

nginx/vhost.d/office

@@ -0,0 +1,42 @@
+# static files
+location ^~ /browser {
+    proxy_pass http://$server_name;
+    proxy_set_header Host $http_host;
+}
+
+# WOPI discovery URL
+location ^~ /hosting/discovery {
+    proxy_pass http://$server_name;
+    proxy_set_header Host $http_host;
+}
+
+# Capabilities
+location ^~ /hosting/capabilities {
+    proxy_pass http://$server_name;
+    proxy_set_header Host $http_host;
+}
+
+# main websocket
+location ~ ^/cool/(.*)/ws$ {
+    proxy_pass http://$server_name;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host $http_host;
+    proxy_read_timeout 36000s;
+}
+
+# download, presentation and image upload
+location ~ ^/(c|l)ool {
+    proxy_pass http://$server_name;
+    proxy_set_header Host $http_host;
+}
+
+# Admin Console websocket
+location ^~ /cool/adminws {
+    proxy_pass http://$server_name;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host $http_host;
+    proxy_read_timeout 36000s;
+}
+

nginx/vhost.d/rec

@@ -0,0 +1,23 @@
+Need to figure out how to get this working with nginx-proxy
+
+# This file is for the /change/socket.io and /change/peer paths
+location ~ ^/change/(socket\.io|peer) {
+# Set proxy headers
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+# WebSocket specific headers
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+
+# WebSocket specific settings
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_connect_timeout 90s;
+    proxy_send_timeout 90s;
+    proxy_read_timeout 90s;
+
+    proxy_pass http://$server_name;
+}

nginx/vhost.d/tower

@@ -0,0 +1,67 @@
+root /var/www/html/nextcloud;
+
+# Prevent nginx HTTP Server Detection
+server_tokens off;
+
+# HSTS settings
+# WARNING: Only add the preload option once you read about
+# the consequences in https://hstspreload.org/. This option
+# will add the domain to a hardcoded list that is shipped
+# in all major browsers and getting removed from this list
+# could take several months.
+#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+# set max upload size and increase upload timeout:
+client_max_body_size 10G;
+client_body_timeout 300s;
+fastcgi_buffers 64 4K;
+
+# Enable gzip but do not remove ETag headers
+gzip on;
+gzip_vary on;
+gzip_comp_level 4;
+gzip_min_length 256;
+gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+# Pagespeed is not supported by Nextcloud, so if your server is built
+# with the `ngx_pagespeed` module, uncomment this line to disable it.
+#pagespeed off;
+
+# The settings allows you to optimize the HTTP2 bandwidth.
+# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+# for tuning hints
+client_body_buffer_size 512k;
+
+# HTTP response headers borrowed from Nextcloud `.htaccess`
+add_header Referrer-Policy "no-referrer" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-Permitted-Cross-Domain-Policies "none" always;
+add_header X-Robots-Tag "none" always;
+
+# Remove X-Powered-By, which is an information leak
+fastcgi_hide_header X-Powered-By;
+
+# Set .mjs and .wasm MIME types
+# Either include it in the default mime.types list
+# and include that list explicitly or add the file extension
+# only for Nextcloud like below:
+include mime.types;
+types {
+    text/javascript mjs;
+    application/wasm wasm;
+}
+
+# Specify how to handle directories -- specifying `/index.php$request_uri`
+# here as the fallback means that Nginx always exhibits the desired behaviour
+# when a client requests a path that corresponds to a directory that exists
+# on the server. In particular, if that directory contains an index.php file,
+# that file is correctly served; if it doesn't, then the request is passed to
+# the front-end controller. This consistent behaviour means that we don't need
+# to specify custom rules for certain paths (e.g. images and other assets,
+# `/updater`, `/ocs-provider`), and thus
+# `try_files $uri $uri/ /index.php$request_uri`
+# always provides the desired behaviour.
+index index.php index.html /index.php$request_uri;
+

nginx/vhost.d/tower_location_override

@@ -0,0 +1,93 @@
+# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+location = / {
+    if ( $http_user_agent ~ ^DavClnt ) {
+        return 302 /remote.php/webdav/$is_args$args;
+    }
+}
+
+location = /robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+}
+
+# Make a regex exception for `/.well-known` so that clients can still
+# access it despite the existence of the regex rule
+# `location ~ /(\.|autotest|...)` which would otherwise handle requests
+# for `/.well-known`.
+location ^~ /.well-known {
+    # The rules in this block are an adaptation of the rules
+    # in `.htaccess` that concern `/.well-known`.
+
+    location = /.well-known/carddav { return 301 /remote.php/dav/; }
+    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+    # Let Nextcloud's API for `/.well-known` URIs handle all other
+    # requests by passing them to the front-end controller.
+    return 301 /index.php$request_uri;
+}
+
+# Rules borrowed from `.htaccess` to hide certain paths from clients
+location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+# Ensure this block, which passes PHP files to the PHP process, is above the blocks
+# which handle static assets (as seen below). If this block is not declared first,
+# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+# to the URI, resulting in a HTTP 500 error response.
+location ~ \.php(?:$|/) {
+    # Required for legacy support
+    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    set $path_info $fastcgi_path_info;
+
+    try_files $fastcgi_script_name =404;
+
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $path_info;
+    fastcgi_param HTTPS on;
+
+    fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+    fastcgi_param front_controller_active true;     # Enable pretty urls
+    fastcgi_pass http://$server_name;
+
+    fastcgi_intercept_errors on;
+    fastcgi_request_buffering off;
+
+    fastcgi_max_temp_file_size 0;
+}
+
+# Serve static files
+location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
+    try_files $uri /index.php$request_uri;
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+    access_log off;     # Optional: Don't log access to assets
+}
+
+location ~ \.(otf|woff2?)$ {
+    try_files $uri /index.php$request_uri;
+    expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+    access_log off;     # Optional: Don't log access to assets
+}
+
+# Rule borrowed from `.htaccess`
+location /remote {
+    return 301 /remote.php$request_uri;
+}
+
+location / {
+    try_files $uri $uri/ /index.php$request_uri;
+}
+