{% if proxy is defined and proxy is not string %}
upstream upstream_{{ site }} {
{% for item in proxy %}
    server {{ item }}:443;
{% endfor %}
}
{% endif %}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name {{ site }};

    ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt;
    ssl_certificate_key {{ tls_private }}/{{ site }}.key;

{% if redirect is defined %}
    return 301 {{ redirect }};
{% elif proxy is defined %}
    location / {
{%  if proxy is not string %}
        proxy_pass https://upstream_{{ site }};
{%  else %}
        proxy_pass {{ proxy }};
{%  endif %}
    }
{% else %}
    root /srv/web/{{ site }};
{% endif %}
    include /etc/nginx/conf.d/{{ site }}/*.conf;
}

server {
    ssl off;
    listen 80;
    listen [::]:80;
    server_name {{ site }};
    location /.well-known/acme-challenge/ {
        proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
    }
    location / {
{% if redirect is defined %}
        return 301 {{ redirect }};
{% else %}
        return 301 https://$host$request_uri;
{% endif %}
    }
}