{% if proxy is defined and proxy is not string %}
upstream upstream_{{ site }} {
{% for item in proxy %}
{%   if item | regex_search(".*:[0-9]+$") %}
    server {{ item }};
{%   else %}
    server {{ item }}:443;
{%   endif %}
{% endfor %}
}
{% endif %}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name {{ site }};

    access_log {{ nginx_logdir }}/{{ site }}.access.log combined;
    error_log {{ nginx_logdir }}/{{ site }}.error.log warn;

    add_header Strict-Transport-Security "max-age=63072000" always;

{% if ssl_config is defined %}
{%   if ssl_config == "old" %}
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;
{%   endif %}
{% endif %}
    ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt;
    ssl_certificate_key {{ tls_private }}/{{ site }}.key;

{% include "./{}.conf.j2".format(site) ignore missing %}
{% if redirect is defined %}
    return 301 {{ redirect }};
{% elif proxy is defined %}
    location / {
{%  if proxy is not string %}
        # https://trac.nginx.org/nginx/ticket/1307
        proxy_ssl_verify off;
        proxy_pass https://upstream_{{ site }};
{%  else %}
        proxy_pass {{ proxy }};
{%  endif %}
    }
{% else %}
    root /srv/web/{{ site }};
{% endif %}
}

server {
    listen 80;
    listen [::]:80;
    server_name {{ site }};
    location /.well-known/acme-challenge/ {
        proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
    }
    location / {
{% if redirect is defined %}
        return 301 {{ redirect }};
{% else %}
        return 301 https://$host$request_uri;
{% endif %}
    }
}