server {
    listen 80;
    listen [::]:80;
    server_name {{ $domain }}@if ($redirect_www) www.{{ $domain }}@endif;
    return 301 https://{{ $domain }}$request_uri;
}

@if ($redirect_www)
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/www.{{ $domain }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.{{ $domain }}/privkey.pem;

    include /etc/nginx/snippets/snippets/ssl-params.conf;
    include /etc/nginx/snippets/secure-headers.conf;

    server_name www.{{ $domain }};
    return 301 https://{{ $domain }}$request_uri;
}
@endif

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/{{ $domain }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ $domain }}/privkey.pem;

    include /etc/nginx/snippets/snippets/ssl-params.conf;
    include /etc/nginx/snippets/secure-headers.conf;

    add_header Content-Security-Policy "
        default-src 'self';
        font-src 'self';
        style-src 'self';
        img-src 'self';
        base-uri 'self';
        form-action 'self';
        frame-ancestors 'self';
    ";

    @include('partials.default', ['domain' => $domain])

    @yield('server')
}