server {
    listen 80;
    server_name {{nginx_server_name}};
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name {{nginx_server_name}};

    ssl_certificate {{nginx_ssl_cert}};
    ssl_certificate_key {{nginx_ssl_privkey}};
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;

    gzip on;
    gzip_types
      application/javascript
      application/x-javascript
      application/json
      application/rss+xml
      application/xml
      image/svg+xml
      image/x-icon
      application/vnd.ms-fontobject
      application/font-sfnt
      text/css
      text/plain;
    gzip_min_length 256;
    gzip_comp_level 5;
    gzip_http_version 1.1;
    gzip_vary on;

    location ~ ^/.well-known/(webfinger|nodeinfo|host-meta) {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;

        set $upstream http://127.0.0.1:{{nginx_proxy_port}};
        proxy_pass $upstream;

        proxy_redirect off;
    }

    location ~ ^/(css|img|js|fonts)/ {
        root {{nginx_static_content}};
        # Optionally cache these files in the browser:
        # expires 12M;
    }

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;

        set $upstream http://127.0.0.1:{{nginx_proxy_port}};
        proxy_pass $upstream;

        proxy_redirect off;
    }
}