# Match all paths except for ones that should stay as HTTP
    RedirectMatch permanent ^/(?!\.well-known)(.*) https://{{domain}}/$1

    # -- Access --
    # (Needed for Let's Encrypt)
    DocumentRoot /srv/web/{{domain}}/docroot
    <Directory /srv/web/{{domain}}/docroot>
        Require all granted
    </Directory>