server {
% if domain_aliases:
    server_name ${domain} ${' '.join(sorted(domain_aliases))};
% else:
    server_name ${domain};
% endif
    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
    index ${' '.join(index)};

    listen       80;
    listen       [::]:80;

% if ssl:
    location / {
        return 308 https://$host$request_uri;
    }

%   if ssl == 'letsencrypt':
    location /.well-known/acme-challenge/ {
        alias /var/lib/dehydrated/acme-challenges/;
    }
%   endif
}

server {
%   if domain_aliases:
    server_name ${domain} ${' '.join(sorted(domain_aliases))};
%   else:
    server_name ${domain};
%   endif
    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
    index ${' '.join(index)};

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

%   if ssl == 'letsencrypt':
    ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
%   else:
    ssl_certificate /etc/nginx/ssl/${vhost}.crt;
    ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
%   endif
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
% endif

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

% if create_access_log:
    access_log /var/log/nginx/access-${vhost}.log gdpr;
% endif
    access_log /var/log/nginx-timing/${vhost}.log anon_timing;
    # error_log is disabled globally

% if max_body_size:
    client_max_body_size ${max_body_size};
% endif

% if not do_not_set_content_security_headers:
    add_header Referrer-Policy same-origin;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
% endif
    add_header Permissions-Policy interest-cohort=();

    error_page 404 /not_found.html;
    location = /not_found.html {
        root /var/www/;
        internal;
    }

    error_page 500 502 503 504 /error.html;
    location = /error.html {
        root /var/www/;
        internal;
    }

%   if ssl == 'letsencrypt':
    location /.well-known/acme-challenge/ {
        alias /var/lib/dehydrated/acme-challenges/;
    }
%   endif

% if security_txt:
    location = /.well-known/security.txt {
        alias /etc/nginx/security.txt.d/${vhost};
    }
% endif

% if locations:
%  for location, options in sorted(locations.items()):
    location ${location} {
%   if 'target' in options:
        proxy_pass           ${options['target']};
        proxy_http_version   ${options.get('http_version', '1.1')};
        proxy_set_header     Host ${domain};
%    if options.get('websockets', False):
        proxy_set_header     Connection "upgrade";
        proxy_set_header     Upgrade $http_upgrade;
%    endif
        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header     X-Forwarded-Proto $scheme;
        proxy_set_header     X-Forwarded-Host ${options.get('x_forwarded_host', domain)};
%    for option, value in options.get('proxy_set_header', {}).items():
        proxy_set_header     ${option} ${value};
%    endfor
%    if location != '/':
        proxy_set_header     X-Script-Name ${location};
%    endif
        proxy_buffering      off;
        proxy_read_timeout   ${options.get('proxy_read_timeout', 60)};
        client_max_body_size ${options.get('max_body_size', '5M')};
%   elif 'redirect' in options:
        return ${options.get('mode', 308)} ${options['redirect']};
%   elif 'return' in options:
        return ${options.get('mode', 200)} '${options['return']}';
%   elif 'root' in options:
        root ${options['root']};
%   elif 'alias' in options:
        alias ${options['alias']};
%   endif
%   if 'auth' in options:
        auth_basic "${options['auth'].get('realm', vhost)}";
        auth_basic_user_file ${options['auth']['file']};
%   endif
%   for opt in sorted(options.get('additional_config', set())):
        ${opt};
%   endfor
    }

%  endfor
% endif
% if php:
    location ~ \.php$ {
        include fastcgi.conf;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
    }
%  if not max_body_size:
    client_max_body_size 5M;
%  endif

% endif
% if extras:
<%include file="extras/${node.name}/${vhost}" />
% endif
}