server {
  listen       {{ item.domain }}:443 ssl http2 fastopen=4096 reuseport;
  server_name  {{ item.domain }};

  access_log  /var/log/nginx/{{ item.domain }}.access.log main buffer=32k;
  error_log   /var/log/nginx/{{ item.domain }}.error.log error;

  ssl on;

  include /etc/nginx/ssl_params;

{% if nginx.ssl == "modern" %}
  include /etc/nginx/ssl_ciphers_modern;
{% elif nginx.ssl == "tls13" %}
  include /etc/nginx/ssl_ciphers_tls13;
{% else %}
  # Default, just use commonly accepted options:
  include /etc/nginx/ssl_ciphers_intermediate;
{% endif %}

  ssl_certificate     /etc/ssl/{{ item.domain }}-cert-combined.rsa2048.pem;
  ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.rsa2048.pem;

  # nginx >= 1.11.0 (2016-05-24) allows loading redundant certs and keys so you
  # can serve modern EC clients and less modern RSA clients at the same time.
  ssl_certificate     /etc/ssl/{{ item.domain }}-cert-combined.prime256v1.pem;
  ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.prime256v1.pem;

  root   /srv/web/{{ item.domain }};

{% if nginx.google is defined %}
  location /{{ nginx.google.siteKey }}.html {
    root {{ nginx.google.siteKeyServeDir }}};
  }
{% endif %}

{% if item.customConfig is defined %}
{{ item.customConfig }}
{% endif %}

{% for location in item.uri %}
  location {{ location.path }} {
{% if location.appServer is defined %}
    proxy_pass {{ location.appServer }}/$request_uri;
    proxy_set_header Host $host;
{% else %}
    root /srv/web/{{ item.domain }};
{% endif %}
  }
{% endfor %}
}

server {
  listen       {{ item.domain }} fastopen=4096 reuseport;
  server_name  www.{{ item.domain }} {{ item.domain }};

  access_log  /var/log/nginx/{{ item.domain }}.access.log main buffer=32k;
  error_log   /var/log/nginx/{{ item.domain }}.error.log error;

  location /.well-known/acme-challenge/ {
      alias /srv/web/challenges/;
      try_files $uri =404;
  }

  location / {
    return 301 https://{{ item.domain }}$request_uri;
  }
}