server {  
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name git.*;

    include /config/nginx/ssl.conf;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        include /config/nginx/security-headers.conf;
        add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src * https: data:; img-src * https: data:; manifest-src * https: data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'";        
        add_header Onion-Location http://vkp7367tcjpqdwwckigrdrvmwvispvbpg5rlsr2chjxvppfg7hipagyd.onion$request_uri;
        set $upstream_app gitea;
        set $upstream_port 3333;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}