server {
    server_name munin.{{ hostname }};
    listen 80;
    listen [::]:80;
    access_log /var/log/nginx/munin.{{ hostname }}.access.log;
    error_log /var/log/nginx/munin.{{ hostname }}.error.log;
    return 301 https://munin.{{ hostname }}$request_uri;
}
server {
    server_name munin.{{ hostname }};
    listen 443 ssl spdy;
    listen [::]:443 ssl spdy;
    ssl_certificate /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.crt;
    ssl_certificate_key /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.key;
    ssl_trusted_certificate /etc/nginx/easy-rsa/keys/ca.crt;
    ssl_client_certificate /etc/nginx/easy-rsa/keys/ca.crt; # XXX: should work without this?
    ssl_verify_client on;
    ssl_dhparam /etc/nginx/dh-2048.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    # access from <frame | iframe | object>: DENY | SAMEORIGIN | ALLOW-FROM uri
    add_header X-Frame-Options 'SAMEORIGIN';
    # HPKP: 5184000 = 60 days
    add_header Public-Key-Pins '{% for r in hpkpinfo.results %}pin-sha256="{{ r.stdout }}"; {% endfor %}max-age=5184000';
    # HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
    add_header Strict-Transport-Security 'max-age=31536000';
    # Content-Security-Policy-Report-Only: default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report
    add_header Cache-Control private;
    access_log /var/log/nginx/munin.{{ hostname }}.access.log;
    error_log /var/log/nginx/munin.{{ hostname }}.error.log;
    root /var/cache/munin/www;
    location ~* \.png$ {
        access_log off;
    }
}