server {
        listen 80;
	server_name {{ instance.name }};
{% if instance.alias is defined %}
  {% for alias in instance.alias %}
	server_name {{ alias }};
  {% endfor %}
{% endif %}
        include snippets/letsencrypt.conf;
        location / { return 301 https://$http_host$request_uri; }
}

server {
	listen 443 ssl http2;
        server_name {{ instance.name }};
        ssl_certificate /var/lib/dehydrated/certs/{{ instance.name }}/fullchain.pem;
        ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.name }}/privkey.pem;
        include /etc/nginx/proxy_params;
        add_header Referrer-Policy $referrerpolicy;
        add_header Strict-Transport-Security $sts;
        add_header X-Content-Type-Options $xcontentoptions;
        add_header X-XSS-Protection $xxssprotection;

        location ~ /.well-known/(carddav|caldav) {
                return 301 $scheme://$host/remote.php/dav;
        }

        location ~ \.* {
                proxy_pass http://{{ inventory_hostname }}:80;
        }
}

{% if instance.alias is defined %}
  {% for alias in instance.alias %}
server {
	listen 443 ssl http2;
        server_name {{ alias }};
        ssl_certificate /var/lib/dehydrated/certs/{{ alias }}/fullchain.pem;
        ssl_certificate_key /var/lib/dehydrated/certs/{{ alias }}/privkey.pem;
        include /etc/nginx/proxy_params;
        add_header Referrer-Policy $referrerpolicy;
        add_header Strict-Transport-Security $sts;
        add_header X-Content-Type-Options $xcontentoptions;
        add_header X-XSS-Protection $xxssprotection;

        location ~ /.well-known/(carddav|caldav) {
                return 301 $scheme://$host/remote.php/dav;
        }

        location ~ \.* {
                proxy_pass http://{{ inventory_hostname }}:80;
        }
}
  {% endfor %}
{% endif %}