bake htpasswd from build arg, security hardening, fix home routing

infra/nginx.conf

@@ -1,3 +1,5 @@
+server_tokens off;
+
 limit_req_zone $binary_remote_addr zone=contact_limit:10m rate=5r/m;
 
 gzip on;
@@ -22,6 +24,9 @@ server {
     add_header Cross-Origin-Resource-Policy "same-origin" always;
     add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-src https://www.google.com/recaptcha/; connect-src 'self' https://www.google.com/recaptcha/; upgrade-insecure-requests" always;
 
+    auth_basic "Review";
+    auth_basic_user_file /etc/nginx/.htpasswd;
+
     location ~ /\. { deny all; return 404; }
     location ~* \.(env|conf|yml|yaml|md|sh|py|pyc|sql|bak|old|swp|log|dockerfile)$ {
         deny all; return 404;
@@ -61,7 +66,7 @@ server {
         fastcgi_read_timeout 30s;
     }
 
-    location = / { rewrite ^ /api/router.php?type=coming_soon last; }
+    location = / { rewrite ^ /api/router.php?type=home last; }
     location = /about { rewrite ^ /api/router.php?type=about last; }
     location = /about/ { rewrite ^ /api/router.php?type=about last; }
     location = /the-practice { rewrite ^ /api/router.php?type=practice last; }
@@ -89,7 +94,7 @@ server {
     location = /terms-of-service { rewrite ^ /api/router.php?type=legal&slug=terms-of-service last; }
     location = /terms-of-service/ { rewrite ^ /api/router.php?type=legal&slug=terms-of-service last; }
 
-    location / { rewrite ^ /api/router.php?type=coming_soon last; }
+    location / { return 404; }
 
     error_page 404 /404.html;
     error_page 500 502 503 504 /500.html;