server {
{% for listen in (nginx_vhost.listen | default(['80', '[::]:80'])) %}
    listen {{ listen }}{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
{% endfor %}
    server_name {{ nginx_vhost.hostnames | default(['_']) | join(' ') }};

    access_log {{ nginx_vhost.logs.access | default('/var/log/nginx/' + nginx_vhost.name + '_access.log') }};
    error_log {{ nginx_vhost.logs.error | default('/var/log/nginx/' + nginx_vhost.name + '_error.log') }};

{% if 'tls' in nginx_vhost %}
{%   if nginx_vhost.tls.certificate_provider == 'acmetool' or nginx_vhost.tls.certificate_provider == 'uacme' %}
    include snippets/{{ nginx_vhost.tls.certificate_provider }}.conf;

{%   endif %}
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
{% for listen in (nginx_vhost.tls.listen | default(['443', '[::]:443'])) %}
    listen {{ listen }} ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
{% endfor %}
    server_name {{ nginx_vhost.hostnames | default(['_']) | join(' ') }};

    access_log {{ nginx_vhost.logs.access | default('/var/log/nginx/' + nginx_vhost.name + '_access.log') }};
    error_log {{ nginx_vhost.logs.error | default('/var/log/nginx/' + nginx_vhost.name + '_error.log') }};

{%   if nginx_vhost.tls.certificate_provider == 'acmetool' or nginx_vhost.tls.certificate_provider == 'uacme' %}
    include snippets/{{ nginx_vhost.tls.certificate_provider }}.conf;
{%   endif %}
    include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf;
    ssl_certificate     {{ x509_certificate_path_fullchain }};
    ssl_certificate_key {{ x509_certificate_path_key }};
{%   if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %}
    include snippets/hsts.conf;
{%   endif %}

{% endif %}
{% include 'includes/body.j2' %}
}