server {
    listen 80;
    listen 443 ssl http2;

    server_name pma.{{domain}};
    ssl_certificate /etc/letsencrypt/live/pma.{{domain}}/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pma.{{domain}}/privkey.pem; # managed by Certbot

    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    root /var/www/pma;
    
    location ^~ / {
        index index.php;
        location ^~ /wiki/maintenance/ {
            return 403;
        }
        location ~ .*.php$ {
            include /etc/nginx/fastcgi.conf;
            fastcgi_pass unix:/run/php/php-fpm.sock;
            fastcgi_index index.php;
        }
        location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
            expires max;
            log_not_found off;
        }
    }
}