server {
	listen 80;
	listen [::]:80;

	server_name {{ nginx_domain }};
	access_log /var/log/nginx/{{ nginx_domain }}.access.log;
	error_log /var/log/nginx/{{ nginx_domain }}.error.log;

	location ^~ /.well-known/acme-challenge {
		root {{ nginx_certbot_webroot }};
	}

	{% if nginx_ssl %}
	location / {
		rewrite ^(.*)$ https://{{ nginx_domain }}$1 permanent;
	}
}

server {
	listen 443 ssl;
	listen [::]:443 ssl;

	server_name {{ nginx_domain }};
	access_log /var/log/nginx/{{ nginx_domain }}.access.log;
	error_log /var/log/nginx/{{ nginx_domain }}.error.log;

	ssl on;
	ssl_certificate /etc/letsencrypt/live/{{ nginx_letsencrypt_domain }}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/{{ nginx_letsencrypt_domain }}/privkey.pem;

	include /etc/nginx/snippets/ssl.conf;

	{% endif %}

	root {{ ttrss_base }};

	location / {
		index index.php;
	}

	location /cache {
		deny all;
	}

	location = config.php {
		deny all;
	}

	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# cache static assets
		expires    max;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	location ~ \.php$ {
		try_files $uri = 404;
		fastcgi_split_path_info ^(.+\.php)(/.+)$;

		# filter and proxy PHP requests to PHP-FPM
		fastcgi_pass   unix:/var/run/php/php7.3-fpm-ttrss.sock;
		fastcgi_index  index.php;
		include        fastcgi.conf;
	}
}