{% set vhost = item.value %}
{% set vhost_name = item.key %}
{% set vhost_listen = vhost.listen|default({}) %}

server {
	server_name {{ vhost.servername|join(' ') }};

	{% if vhost_listen.ssl|default(True) %}
	listen {{ vhost_listen.ssl_port|default(443) }} ssl {% if vhost.default_server|default(False) %}default_server{% endif %};
	listen [::]:{{ vhost_listen.ssl_port|default(443) }} ssl {% if vhost.default_server|default(False) %}default_server{% endif %};
	{% endif %}
	{% if vhost_listen.nossl|default(False) %}
	listen {{ vhost_listen.nossl_port|default(80) }} ssl {% if vhost.default_server|default(False) %}default_server{% endif %};
	listen [::]:{{ vhost_listen.nossl_port|default(80) }} ssl {% if vhost.default_server|default(False) %}default_server{% endif %};
	{% endif %}

	{% if vhost.backend|default(False) %}
	location / {
		proxy_pass {{ vhost.backend }};

		# add proxy headers
		proxy_set_header  Host $host;
		proxy_set_header  X-Real-IP        $remote_addr;
		proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;

		# hide downstream headers for security reasons
		proxy_hide_header X-Powered-By;
		proxy_hide_header Server;
		proxy_hide_header X-AspNetMvc-Version;
		proxy_hide_header X-AspNet-Version;
	}
	{% endif %}

	{% if vhost.letsencrypt|d(True) %}
		ssl_certificate /etc/ssl/letsencrypt_{{ vhost_name }}_chained.crt;
		ssl_certificate_key /etc/ssl/private/letsencrypt_{{ vhost_name }}.key;
		ssl_trusted_certificate /etc/ssl/letsencrypt_full_chain.crt;
		ssl_stapling_verify on;
		ssl_stapling on;
	{% endif %}
}