server {

  server_name {{ vhost.server_names | join(' ') }};

  listen 443 ssl;
  listen [::]:443 ssl;

  ssl_certificate     /etc/ssl/certs/{{ certificate_name | default(vhost.certificate_name) | default(vhost.name) }}.fullchain.pem;
  ssl_certificate_key /etc/ssl/private/{{ certificate_name | default(vhost.certificate_name) | default(vhost.name) }}.key.pem;

  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; ";

  charset utf-8;

  {% if vhost.try_files is defined %}
  try_files {{ vhost.try_files }};
  {% endif %}

  {% if vhost.locations is defined %}
  {% for loc in vhost.locations %}
  location {{ loc.location }} {
    {% if loc.proxy_pass is defined %}
    proxy_pass {{ loc.proxy_pass }};
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    {% endif %}
    {% if loc.alias is defined %}
    alias {{ loc.alias }};
    {% endif %}
    {% if loc.try_files is defined %}
    try_files {{ loc.try_files }};
    {% endif %}
    {% if loc.redirect is defined %}
    return 301 {{ loc.redirect }};
    {% endif %}
  }
  {% endfor %}
  {% endif %}

  {% if vhost.root is defined %}
  root {{ vhost.root }};
  {% endif %}

}

server {

  listen 80;
  listen [::]:80;

  server_name {{ vhost.server_names | join(' ') }};

  location /.well-known/acme-challenge {
    default_type "text/plain";
    root /var/www/default;
  }

  return 301 https://$host$request_uri;

}