nginx: Configure proxy key/cert globally and not in site

roles/nginx/server/templates/nginx.conf.j2

@@ -25,6 +25,9 @@ http {
     ssl_ciphers {{ tls_ciphers }};
     ssl_prefer_server_ciphers off;
 
+    proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
+    proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
+
     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;

roles/nginx/site/templates/site.conf.j2

@@ -22,8 +22,6 @@ server {
 {%  else %}
         proxy_pass {{ proxy }};
 {%  endif %}
-        proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
-        proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
     }
 {% else %}
     root /srv/web/{{ site }};
@@ -38,8 +36,6 @@ server {
     server_name {{ site }};
     location /.well-known/acme-challenge/ {
         proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
-        proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
-        proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
     }
     location / {
 {% if redirect is defined %}