server {
% if domain_aliases:
    server_name ${domain} ${' '.join(sorted(domain_aliases))};
% else:
    server_name ${domain};
% endif
    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
    index ${' '.join(index)};

    listen       80;
    listen       [::]:80;

% if ssl:
    location / {
        return 308 https://$host$request_uri;
    }

%   if ssl == 'letsencrypt':
    location /.well-known/acme-challenge/ {
        alias /var/lib/dehydrated/acme-challenges/;
    }
%   endif
}

server {
%   if domain_aliases:
    server_name ${domain} ${' '.join(sorted(domain_aliases))};
%   else:
    server_name ${domain};
%   endif
    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
    index ${' '.join(index)};

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

%   if ssl == 'letsencrypt':
    ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
%   else:
    ssl_certificate /etc/nginx/ssl/${vhost}.crt;
    ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
%   endif
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
% endif

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

% if max_body_size:
    client_max_body_size ${max_body_size};
% elif proxy or php:
    client_max_body_size 5M;
% endif

% if not do_not_set_content_security_headers:
    add_header Referrer-Policy same-origin;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
% endif
    add_header Permissions-Policy interest-cohort=();

    location /.well-known/acme-challenge/ {
        alias /var/lib/dehydrated/acme-challenges/;
    }

% if security_txt:
    location = /.well-known/security.txt {
        alias /etc/nginx/security.txt.d/${vhost};
    }
% endif

% if proxy:
%     for location, options in proxy.items():
    location ${location} {
        proxy_pass           ${options['target']};
        proxy_http_version   ${options.get('http_version', '1.1')};
        proxy_set_header     Host ${domain};
% if options.get('websockets', False):
        proxy_set_header     Connection "upgrade";
        proxy_set_header     Upgrade $http_upgrade;
% endif
        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
% if ssl:
        proxy_set_header     X-Forwarded-Proto HTTPS;
% endif
        proxy_set_header     X-Forwarded-Host ${domain};
% for option, value in options.get('proxy_set_header', {}).items():
        proxy_set_header     ${option} ${value};
% endfor
% if location != '/':
        proxy_set_header     X-Script-Name ${location};
% endif
        proxy_buffering      off;
    }
%     endfor
% endif

% if php:
    location ~ \.php$ {
        include fastcgi.conf;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
    }
% endif

% if extras:
<%include file="extras/${node.name}/${vhost}" />
% endif
}