server {
    server_name ${domain};
    root ${webroot if webroot else '/var/www/{}/'.format(domain)};
    index ${index if index else 'index.html index.htm'};

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_trusted_certificate /var/lib/dehydrated/certs/${domain}/chain.pem;
    ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

% if not do_not_set_content_security_headers:
    add_header Referrer-Policy same-origin;
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options nosniff;
% endif

    location /.well-known/acme-challenge/ {
        alias /var/lib/dehydrated/acme-challenges/;
    }

% if proxy:
%     for location, proxy_pass in proxy.items():
    location ${location} {
        proxy_pass           ${proxy_pass};
        proxy_set_header     X-Script-Name /;
        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header     X-Forwarded-Proto HTTPS;
        proxy_set_header     X-Forwarded-Host ${domain};
        proxy_buffering      off;
    }
%     endfor
% endif

% if php:
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php7.3-fpm.sock;
    }
% endif

% if extras:
<%include file="extras/${node.name}/${domain}" />
% endif
}