chore: Combine identical HTTP and HTTPS servers

nginx.tmpl

@@ -239,25 +239,19 @@ server {
 	{{ end }}
 	{{ $access_log }}
 	return 503;
-}
 
 {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
-server {
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
-	server_tokens off;
 	listen {{ $external_https_port }} ssl http2;
 	{{ if $enable_ipv6 }}
 	listen [::]:{{ $external_https_port }} ssl http2;
 	{{ end }}
-	{{ $access_log }}
-	return 503;
 
 	ssl_session_cache shared:SSL:50m;
 	ssl_session_tickets off;
 	ssl_certificate /etc/nginx/certs/default.crt;
 	ssl_certificate_key /etc/nginx/certs/default.key;
-}
 {{ end }}
+}
 
 {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
 
@@ -317,9 +311,7 @@ server {
 
 {{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
 
-{{ if $is_https }}
-
-{{ if eq $https_method "redirect" }}
+{{ if and $is_https (eq $https_method "redirect") }}
 server {
 	server_name {{ $host }};
 	{{ if $server_tokens }}
@@ -356,11 +348,18 @@ server {
 	{{ if $server_tokens }}
 	server_tokens {{ $server_tokens }};
 	{{ end }}
+	{{ $access_log }}
+    {{- if or (not $is_https) (eq $https_method "noredirect") }}
+	listen {{ $external_http_port }} {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_http_port }} {{ $default_server }};
+	{{ end }}
+    {{- end }}
+    {{- if $is_https }}
 	listen {{ $external_https_port }} ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
 	{{ end }}
-	{{ $access_log }}
 
 	{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
 
@@ -382,51 +381,13 @@ server {
 	{{ end }}
 
 	{{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
-	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
-	{{ end }}
-
-	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
-	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
-	{{ else if (exists "/etc/nginx/vhost.d/default") }}
-	include /etc/nginx/vhost.d/default;
-	{{ end }}
-
-		{{ range $path, $containers := $paths }}
-			{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost-vpath, falling back to "http" */}}
-			{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
-
-			{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
-			{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
-			{{ $upstream := $upstream_name }}
-			{{ $dest := "" }}
-			{{ if gt $nPaths 0 }}
-				{{ $sum := sha1 $path }}
-				{{ $upstream = printf "%s-%s" $upstream $sum }}
-				{{ $dest = (or (first (groupByKeys $containers "Env.VIRTUAL_DEST")) "") }}
-			{{ end }}
-			{{ template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "VhostRoot" $vhost_root "Dest" $dest "NetworkTag" $network_tag) }}
-		{{ end }}
-		{{ if (not (contains $paths "/")) }}
-			location / {
-				return {{ $default_root_response }};
-			}
-		{{ end }}
-}
-
-{{ end }}
-
-{{ if or (not $is_https) (eq $https_method "noredirect") }}
-
-server {
-	server_name {{ $host }};
-	{{ if $server_tokens }}
-	server_tokens {{ $server_tokens }};
-	{{ end }}
-	listen {{ $external_http_port }} {{ $default_server }};
-	{{ if $enable_ipv6 }}
-	listen [::]:{{ $external_http_port }} {{ $default_server }};
+	set $sts_header "";
+	if ($https) {
+		set $sts_header "{{ trim $hsts }}";
+	}
+	add_header Strict-Transport-Security $sts_header always;
 	{{ end }}
-	{{ $access_log }}
+    {{- end }}
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
 	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
@@ -475,4 +436,3 @@ server {
 {{ end }}
 
 {{ end }}
-{{ end }}