{% if before_server is defined %}
{{ before_server }}
{% endif %}
server {
  {% if nginx_listen80 is defined %}
  {{ nginx_listen80 }}
  {% else %}
  listen 80;
    listen [::]:80;
{% if proxy_protocol is defined %}

    listen 81 proxy_protocol;
    listen [::]:81 proxy_protocol;
    real_ip_header proxy_protocol;
{% for ip in proxy_protocol.ipv4 %}
    set_real_ip_from {{ ip }};
{% endfor %}
{% for ip in proxy_protocol.ipv6 %}
    set_real_ip_from {{ ip }};
{% endfor %}

    port_in_redirect off;
{% endif %}
  {% endif %}
    server_name {{ domains | join(' ') }};

{%+ if notls is not defined and unsecure_server is not defined %}
    location / {
        # enforce https
        return 301 https://$server_name:443$request_uri;
    }
{% endif %}
    {% if unsecure_server is defined -%}
    {{ unsecure_server | indent(4) }}
    {%- endif %}
    location /.well-known/acme-challenge {
        root /var/www/acme;
    {% if nginx_acme_challenge is defined %}
        {{ nginx_acme_challenge }}
    {% endif %}
    }
}
{%+ if notls is not defined %}
server {
  {% if nginx_listen443 is defined %}
  {{ nginx_listen443 }}
  {% else %}
  listen 443 ssl http2;
    listen [::]:443 ssl http2;
{% if proxy_protocol is defined %}

    listen 442 ssl http2 proxy_protocol;
    listen [::]:442 ssl http2 proxy_protocol;
    real_ip_header proxy_protocol;
{% for ip in proxy_protocol.ipv4 %}
    set_real_ip_from {{ ip }};
{% endfor %}
{% for ip in proxy_protocol.ipv6 %}
    set_real_ip_from {{ ip }};
{% endfor %}

    port_in_redirect off;
{% endif %}
  {% endif %}
  server_name {% if redirect_to_first is not defined or not redirect_to_first %}{{ domains | join(' ') }}{% else %}{{ domains[0] }}{% endif %};

    {% if ssl_certificate is defined -%}
    {{ ssl_certificate | indent(4) }}
    {% elif instance_name is defined -%}
ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
    ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
    {% else -%}
ssl_certificate /etc/ssl/csr/{{ domains[0] }}-fullchain.crt;
    ssl_certificate_key /etc/ssl/private/{{ domains[0] }}.pem;
    {% endif %}

    add_header X-XSS-Protection "0";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
    {%+ if headers is defined %}{{ headers }}{% endif %}

    {% if server -%}
    {{ server | indent(4) }}
    {%- endif %}
    {% if server2 is defined -%}
    {{ server2 | indent(4) }}
    {%- endif %}
}
{% if redirect_to_first is defined and redirect_to_first and domains|length > 1 %}
server {
  {% if nginx_listen443 is defined -%}
    {{ nginx_listen443 }}
  {% else %}
  listen 443 ssl http2;
    listen [::]:443 ssl http2;
{% if proxy_protocol is defined %}

    listen 442 ssl http2 proxy_protocol;
    listen [::]:442 ssl http2 proxy_protocol;
    real_ip_header proxy_protocol;
{% for ip in proxy_protocol.ipv4 %}
    set_real_ip_from {{ ip }};
{% endfor %}
{% for ip in proxy_protocol.ipv6 %}
    set_real_ip_from {{ ip }};
{% endfor %}

    port_in_redirect off;
{% endif %}
  {% endif %}
  server_name {{ domains[1:] | join(' ') }};

    {% if ssl_certificate is defined %}
    {{ ssl_certificate }}
    {% elif instance_name is defined -%}
ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
    ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
    {% else %}
ssl_certificate /etc/ssl/csr/{{ domains[0] }}-fullchain.crt;
    ssl_certificate_key /etc/ssl/private/{{ domains[0] }}.pem;
    {% endif %}

    add_header X-XSS-Protection "0";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;

    location / {
        rewrite (.*) https://{{ domains[0] }}$1 permanent;
    }
}
{% endif %}
{% endif %}
{% if after_server is defined %}
{{ after_server }}
{% endif %}