#
# Default server (vhost) configuration.
#
{% if default_enforce_https -%}
server {
    # HTTP (plaintext) configuration.
    listen 80 default_server;
    listen [::]:80 default_server;

    # Set server_name to something that won't be matched (for default server).
    server_name _;

    # Redirect plaintext connections to HTTPS
    return 301 https://$host$request_uri;
}

{% endif -%}
server {
{% if not default_enforce_https %}
    # HTTP (plaintext) configuration.
    listen 80 default_server;
    listen [::]:80 default_server;

{% endif %}
    # HTTPS (TLS) configuration.
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    ssl_certificate_key /etc/ssl/private/{{ ansible_fqdn }}_https.key;
    ssl_certificate /etc/ssl/certs/{{ ansible_fqdn }}_https.pem;

{% if default_enforce_https %}
    # Set-up HSTS header for preventing downgrades for users that visited the
    # site via HTTPS at least once.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
{% endif %}

    # Set-up the serving of default page.
    root /var/www/default/;
    index index.html;

    # Set server_name to something that won't be matched (for default server).
    server_name _;

    location / {
        # Always point user to the same index page.
        try_files $uri /index.html;
    }
}