listen *:443 ssl http2;
	listen [::]:443 ssl http2;
	
	ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
	ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
	server_name {{ item.host }}{{ ' ' ~ item.san | join(' ') if item.san is defined }};
	access_log /var/log/nginx/{{ item.host }}.access.log combined;
	access_log syslog:server=unix:/dev/log combined;
	error_log /var/log/nginx/{{ item.host }}.error.log;
	error_log syslog:server=unix:/dev/log;
{% if item.allowlistv4 is defined %}
{% for host in groups['lbservers'] %}
	allow {{ hostvars[host].proxmox_net0.ip | ansible.utils.ipaddr('address') }};
{% endfor %}
{% endif %}
{% if item.allowlistv6 is defined %}
{% for addrv6 in item.allowlistv6 %}
	allow {{ addrv6 }};
{% endfor %}
{% endif %}
{% if item.allowlistv4 is defined or item.allowlistv6 is defined %}
	deny all;
{% endif %}