server {
  listen 80;
  listen [::]:80;
  server_name {{ item.domain }};
  return 301 https://{{ item.domain }}$request_uri;
}

server {
  listen              443      ssl http2;
  listen              [::]:443 ssl http2;
  server_name         {{ item.domain }};
  access_log          /var/log/nginx/{{ item.domain }}.log main;
{% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
{% for wildcard in proxy.dns_cloudflare.wildcard_domains %}
{% set domain_regex = '^\*\.' + wildcard + '$' %}
{% if item.domain | regex_search(wildcard) %}
  ssl_certificate     /etc/letsencrypt/live/{{ wildcard }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ wildcard }}/privkey.pem;
{% endif %}
{% endfor %}
{% elif proxy.production is defined and proxy.production and item.tls.cert is not defined %}
  ssl_certificate     /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
{% elif proxy.production is defined and proxy.production and item.tls.cert is defined %}
  ssl_certificate     {{ item.tls.cert }};
  ssl_certificate_key {{ item.tls.key }};
{% else %}
  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
{% endif %}
{% if item.hsts is defined %}
  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
{% endif %}
{% if item.client_max_body_size is defined %}
  client_max_body_size {{ item.client_max_body_size }};
{% endif %}
  location / {
{% if item.restrict is defined and item.restrict  %}
    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
    proxy_set_header Authorization "";
{% endif %}
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass {{ item.proxy_pass }};
{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
    proxy_ssl_verify off;
{% endif %}
{% if item.websockets is defined and item.websockets %}
    proxy_http_version 1.1;
    proxy_set_header Connection $http_connection;
    proxy_set_header Origin http://$host;
    proxy_set_header Upgrade $http_upgrade;
{% endif %}
  }
}