diff --git a/sites-available/ssl.no-default b/conf.d/.default.conf
similarity index 62%
rename from sites-available/ssl.no-default
rename to conf.d/.default.conf
index 4a32d15..85adb0d 100644
--- a/sites-available/ssl.no-default
+++ b/conf.d/.default.conf
@@ -1,3 +1,7 @@
+# ----------------------------------------------------------------------
+# | Default behavior for unknown hosts                                 |
+# ----------------------------------------------------------------------
+#
 # Drop requests for unknown hosts
 #
 # If no default server is defined, nginx will use the first found server.
@@ -8,7 +12,12 @@
 server {
   listen [::]:443 ssl default_server;
   listen 443 ssl default_server;
+
+  server_name _;
+
   include h5bp/ssl/ssl_engine.conf;
+  include h5bp/ssl/certificate_files.conf;
   include h5bp/ssl/policy_intermediate.conf;
+
   return 444;
 }
diff --git a/conf.d/no-ssl.default.conf b/conf.d/no-ssl.default.conf
new file mode 100644
index 0000000..f8cdc70
--- /dev/null
+++ b/conf.d/no-ssl.default.conf
@@ -0,0 +1,27 @@
+# ----------------------------------------------------------------------
+# | Default behavior for unknown hosts                                 |
+# ----------------------------------------------------------------------
+#
+# Drop requests for unknown hosts
+#
+# If no default server is defined, nginx will use the first found server.
+# To prevent host header attacks, or other potential problems when an unknown
+# servername is used in a request, it's recommended to drop the request
+# returning 444 "no response".
+#
+# (1) In production, only secure hosts should be used (all `no-ssl` disabled).
+#     If so, redirect first ANY request to a secure connexion before handling it
+#     even if the host is unknown.
+#
+#     https://observatory.mozilla.org/faq/
+
+server {
+  listen [::]:80 default_server deferred;
+  listen 80 default_server deferred;
+
+  server_name _;
+
+  # (1)
+  # return 301 https://$host$request_uri;
+  return 444;
+}
diff --git a/sites-available/ssl.example.com b/conf.d/templates/example.com.conf
similarity index 52%
rename from sites-available/ssl.example.com
rename to conf.d/templates/example.com.conf
index 7eaa162..b9e141a 100644
--- a/sites-available/ssl.example.com
+++ b/conf.d/templates/example.com.conf
@@ -1,34 +1,29 @@
-# Choose between www and non-www, listen on the *wrong* one and redirect to
-# the right one -- https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
+# ----------------------------------------------------------------------
+# | Config file for example.com host                                   |
+# ----------------------------------------------------------------------
 #
-server {
-  listen [::]:80;
-  listen 80;
-
-  # listen on both hosts
-  server_name example.com www.example.com;
-
-  # and redirect to the https host (declared below)
-  # avoiding http://www -> https://www -> https:// chain.
-  return 301 https://example.com$request_uri;
-}
+# This file is a template for a nginx server.
+# This nginx server listen the `example.com` host and handle requests.
+# Remplace `example.com` with your hostname before enabling.
 
+# Choose between www and non-www, listen on the wrong one and redirect to
+# the right one.
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
 server {
   listen [::]:443 ssl http2;
   listen 443 ssl http2;
 
-  # listen on the wrong host
   server_name www.example.com;
 
   include h5bp/ssl/ssl_engine.conf;
+  include h5bp/ssl/certificate_files.conf;
   include h5bp/ssl/policy_intermediate.conf;
 
-  # and redirect to the non-www host (declared below)
-  return 301 https://example.com$request_uri;
+  return 301 $scheme://example.com$request_uri;
 }
 
-server {
 
+server {
   # listen [::]:443 ssl http2 accept_filter=dataready;  # for FreeBSD
   # listen 443 ssl http2 accept_filter=dataready;  # for FreeBSD
   # listen [::]:443 ssl http2 deferred;  # for Linux
@@ -40,6 +35,7 @@ server {
   server_name example.com;
 
   include h5bp/ssl/ssl_engine.conf;
+  include h5bp/ssl/certificate_files.conf;
   include h5bp/ssl/policy_intermediate.conf;
 
   # Path for static files
diff --git a/conf.d/templates/no-ssl.example.com.conf b/conf.d/templates/no-ssl.example.com.conf
new file mode 100644
index 0000000..e9fa62b
--- /dev/null
+++ b/conf.d/templates/no-ssl.example.com.conf
@@ -0,0 +1,40 @@
+# ----------------------------------------------------------------------
+# | Config file for non-secure example.com host                        |
+# ----------------------------------------------------------------------
+#
+# This file is a template for a non-secure nginx server.
+# This nginx server listen the `example.com` host and handle requests.
+# Remplace `example.com` with your hostname before enabling.
+
+# Choose between www and non-www, listen on the wrong one and redirect to
+# the right one.
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
+server {
+  listen [::]:80;
+  listen 80;
+
+  server_name www.example.com;
+
+  return 301 $scheme://example.com$request_uri;
+}
+
+server {
+  # listen [::]:80 accept_filter=httpready; # for FreeBSD
+  # listen 80 accept_filter=httpready; # for FreeBSD
+  # listen [::]:80 deferred; # for Linux
+  # listen 80 deferred; # for Linux
+  listen [::]:80;
+  listen 80;
+
+  # The host name to respond to
+  server_name example.com;
+
+  # Path for static files
+  root /var/www/example.com/public;
+
+  # Custom error pages
+  include h5bp/errors/custom_errors.conf;
+
+  # Include the basic h5bp config set
+  include h5bp/basic.conf;
+}
diff --git a/nginx.conf b/nginx.conf
index 73e336b..70f1083 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -111,10 +111,9 @@ http {
   # Enable gzip compression.
   include h5bp/web_performance/compression.conf;
 
-  # Include files in the sites-enabled folder. server{} configuration files should be
-  # placed in the sites-available folder, and then the configuration should be enabled
-  # by creating a symlink to it in the sites-enabled folder.
-  # See doc/sites-enabled.md for more info.
-  include sites-enabled/*;
+  # Include files in the conf.d folder.
+  # server{} configuration files should be placed in the conf.d folder.
+  # The configurations should be disabled by prefixing files with a dot.
+  include conf.d/*.conf;
 
 }
diff --git a/sites-available/README.md b/sites-available/README.md
deleted file mode 100644
index 57d8d26..0000000
--- a/sites-available/README.md
+++ /dev/null
@@ -1,12 +0,0 @@
-Sites Available
----------------
-
-Define host definitions here.
-It'd be a good thing if you keep your hosts indexed by domain name, eg:
-
-```
-example.com (handles traffic from both www.example.com and example.com)
-foobar.com (as above)
-test.foobar.com (handles traffic from both www.test.foobar.com and test.foobar.com)
-```
-
diff --git a/sites-available/example.com b/sites-available/example.com
deleted file mode 100644
index 4d94697..0000000
--- a/sites-available/example.com
+++ /dev/null
@@ -1,36 +0,0 @@
-# www to non-www redirect -- duplicate content is BAD:
-# https://github.com/h5bp/html5-boilerplate/blob/5370479476dceae7cc3ea105946536d6bc0ee468/.htaccess#L362
-# Choose between www and non-www, listen on the *wrong* one and redirect to
-# the right one -- https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
-server {
-  # don't forget to tell on which port this server listens
-  listen [::]:80;
-  listen 80;
-
-  # listen on the www host
-  server_name www.example.com;
-
-  # and redirect to the non-www host (declared below)
-  return 301 $scheme://example.com$request_uri;
-}
-
-server {
-  # listen [::]:80 accept_filter=httpready; # for FreeBSD
-  # listen 80 accept_filter=httpready; # for FreeBSD
-  # listen [::]:80 deferred; # for Linux
-  # listen 80 deferred; # for Linux
-  listen [::]:80;
-  listen 80;
-
-  # The host name to respond to
-  server_name example.com;
-
-  # Path for static files
-  root /sites/example.com/public;
-
-  # Custom 404 page
-  error_page 404 /404.html;
-
-  # Include the basic h5bp config set
-  include h5bp/basic.conf;
-}
diff --git a/sites-available/no-default b/sites-available/no-default
deleted file mode 100644
index e233e70..0000000
--- a/sites-available/no-default
+++ /dev/null
@@ -1,12 +0,0 @@
-# Drop requests for unknown hosts
-#
-# If no default server is defined, nginx will use the first found server.
-# To prevent host header attacks, or other potential problems when an unknown
-# servername is used in a request, it's recommended to drop the request
-# returning 444 "no response".
-
-server {
-  listen [::]:80 default_server deferred;
-  listen :80 default_server deferred;
-  return 444;
-}
diff --git a/sites-enabled/.gitkeep b/sites-enabled/.gitkeep
deleted file mode 100644
index e69de29..0000000