server {
  listen 80;
  server_name _;
  root /usr/share/nginx/html;
  index index.html;

  # Headers simples (DSM fait déjà le TLS)
  add_header X-Content-Type-Options nosniff always;
  add_header X-Frame-Options SAMEORIGIN always;
  add_header Referrer-Policy strict-origin-when-cross-origin always;

  location = /favicon.ico {
    try_files /favicon.ico =404;
    access_log off;
    log_not_found off;
  }
  
  location = /favicon.svg {
    try_files /favicon.svg =404;
    access_log off;
    log_not_found off;
  }

  # Assets statiques (cache long)
  location ~* \.(?:css|js|mjs|json|png|jpg|jpeg|gif|svg|webp|ico|woff2?|ttf|eot|wasm)$ {
    try_files $uri =404;
    expires 30d;
    add_header Cache-Control "public, max-age=2592000, immutable";
  }

  # Pages Astro générées en /.../index.html
  location / {
    try_files $uri $uri/ =404;
  }
}