ansible/roles/nginx/templates/default.j2

# {{ ansible_managed }}

server {
    listen 80 default_server;
    listen [::]:80

    server_name {{ inventory_hostname }};

    # Accept ACME-Challenges over http
    location ^~ /.well-known/acme-challenge/ {
        alias {{ nginx_wk_acme }}/;
    }

    # Block .ht files
    location ~ /\.ht {
        deny all;
    }

    # Redirect everything to https by default
    location / {
        return 301 https://$host$request_uri;
    }

    location /server_status {
        # Enable Nginx stats
        stub_status on;
        # Only allow access from localhost
        allow 127.0.0.1;
        # Other request should be denied
        deny all;
    }
}

{% for line in nginx_default_extra | default([]) %}
{{ line }}
{% endfor %}