# For permissions see: https://blog.kamal.io/post/nginx-and-ssl-root-key-security/
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

ssl_dhparam /etc/letsencrypt/live/domain.tld/dhparams.pem;

ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;

# For preload see: https://hstspreload.appspot.com
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
# valid for 365 days

# Pinned certs: Lets-Enc-x1, Lets-Enc-x2
add_header Public-Key-Pins-Report-Only 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; report-uri="https://report-uri.io/report/12345678/reportOnly"; max-age=7776000';
# valid for 90 days (report-only)