server {
    server_name munin.{{ hostname }};
    listen 80;
    listen [::]:80;
    access_log /var/log/nginx/munin.{{ hostname }}.access.log;
    error_log /var/log/nginx/munin.{{ hostname }}.error.log;
    return 301 https://$host$request_uri;
}
server {
    server_name munin.{{ hostname }};
    listen 443 ssl spdy;
    listen [::]:443 ssl spdy;
    ssl_certificate /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.crt;
    ssl_certificate_key /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.key;
    ssl_trusted_certificate /etc/nginx/easy-rsa/keys/ca.crt;
    ssl_client_certificate /etc/nginx/easy-rsa/keys/ca.crt; # XXX: should work without this?
    ssl_verify_client on;
    ssl_dhparam /etc/nginx/dh-2048.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    # Various security headers not related to HTTPS
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection '1; mode=block';
    # HPKP: 5184000 = 60 days
    add_header Public-Key-Pins '{% for r in hpkpinfo.results %}pin-sha256="{{ r.stdout }}"; {% endfor %}max-age=5184000';
    # HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
    add_header Strict-Transport-Security 'max-age=31536000';
    add_header Cache-Control private;
    access_log /var/log/nginx/munin.{{ hostname }}.access.log;
    error_log /var/log/nginx/munin.{{ hostname }}.error.log;
    root /var/cache/munin/www;
    location ~* \.png$ {
        access_log off;
    }
}