{% if before_server is defined %}
{{ before_server }}
{% endif %}
server {
  {% if nginx_listen80 is defined -%}
    {{ nginx_listen80 }}
  {% else %}
    listen 80;
    listen [::]:80;
  {% endif %}
{% if proxy_protocol is defined %}

    listen 81 proxy_protocol;
    listen [::]:81 proxy_protocol;
    real_ip_header proxy_protocol;
{% for ip in proxy_protocol.ipv4 %}
    set_real_ip_from {{ ip }};
{% endfor %}
{% for ip in proxy_protocol.ipv6 %}
    set_real_ip_from {{ ip }};
{% endfor %}

    port_in_redirect off;
{% endif %}
    server_name {{ domains | join(' ') }};

    location / {
        # enforce https
        return 301 https://$server_name:443$request_uri;
    }
    {% if unsecure_server is defined %}
    {{ unsecure_server }}
    {% endif %}
    location /.well-known/acme-challenge {
    {% if nginx_acme_challenge is defined %}
        {{ nginx_acme_challenge }}
    {% else %}
        root /var/www/acme;
    {% endif %}
    }
}

server {
  {% if nginx_listen443 is defined -%}
    {{ nginx_listen443 }}
  {% else %}
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
  {% endif %}
    server_name {% if redirect_to_first is not defined or not redirect_to_first %}{{ domains | join(' ') }}{% else %}{{ domains[0] }}{% endif %};
{% if proxy_protocol is defined %}

    listen 442 ssl http2 proxy_protocol;
    listen [::]:442 ssl http2 proxy_protocol;
    real_ip_header proxy_protocol;
{% for ip in proxy_protocol.ipv4 %}
    set_real_ip_from {{ ip }};
{% endfor %}
{% for ip in proxy_protocol.ipv6 %}
    set_real_ip_from {{ ip }};
{% endfor %}

    port_in_redirect off;
{% endif %}

    {% if ssl_certificate is defined %}
    {{ ssl_certificate }}
    {% else %}
    ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
    ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
    {% endif %}

    add_header X-XSS-Protection "0";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
    {% if headers is defined %}{{ headers }}{% endif %}

    {% if server %}
    {{ server }}
    {% endif %}
}
{% if redirect_to_first is defined and redirect_to_first and domains|length > 1 %}
server {
  {% if nginx_listen443 is defined -%}
    {{ nginx_listen443 }}
  {% else %}
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
  {% endif %}
    server_name {{ domains[1:] | join(' ') }};
{% if proxy_protocol is defined %}

    listen 442 ssl http2 proxy_protocol;
    listen [::]:442 ssl http2 proxy_protocol;
    real_ip_header proxy_protocol;
{% for ip in proxy_protocol.ipv4 %}
    set_real_ip_from {{ ip }};
{% endfor %}
{% for ip in proxy_protocol.ipv6 %}
    set_real_ip_from {{ ip }};
{% endfor %}

    port_in_redirect off;
{% endif %}

    {% if ssl_certificate is defined %}
    {{ ssl_certificate }}
    {% else %}
    ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
    ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
    {% endif %}

    add_header X-XSS-Protection "0";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;

    location / {
        rewrite (.*) https://{{ domains[0] }}$1;
    }
}
{% endif %}
{% if after_server is defined %}
{{ after_server }}
{% endif %}