Add Strict-Transport-Security (max-age 1y, includeSubDomains) to every TLS
server block in both vhost templates. Combined with the existing port-80
301 redirect, browsers refuse plain HTTP to these names after first visit.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The `http2 on;` directive needs nginx 1.25.1+; older builds reject it. Move
http2 onto the listen line (`listen 443 ssl http2;`) which works on old and
new nginx alike. Applied to both vhost templates.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Port the /launcher/* static route from caddy's 10-static.caddy to the
nginx apex server (alias -> ./mirror/launcher, autoindex). /ca.crt is
omitted — LE certs are publicly trusted, no guest CA import needed.
The 20-mirror.caddy upstream spoofs stay caddy/air-gap-only.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
tooling/issue-letsencrypt.sh: manual script, issues one cert per name
(apex + LE_SUBDOMAINS) with acme.sh + OVH DNS-01 (no inbound ports),
installs to certs/<name>/ and reloads nginx. nginx/ulicraft.conf.tmpl:
TLS vhosts for apex/pack (static) + auth (proxy to drasl). OVH creds and
LE_EMAIL in .env.example; certs/ gitignored. plan/15-letsencrypt.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>