---
- name: Configure nginx for certbot challenge and TLSv1.2 for {{ acme_domain.domains[0] }}
  ansible.builtin.import_role:
    name: nginx_core.nginx_config
    allow_duplicates: true
  tags: nginx
  become: yes
  vars:
    nginx_config_dhparam: /etc/ssl/dhparams.pem
    nginx_config_http_template_enable: true
    nginx_config_http_template:
      - template_file: http/default.conf.j2
        deployment_location: "/etc/nginx/acme_{{ acme_domain.domains[0] }}.conf"
        backup: false
        config:
          core:
            server_name: "{{ acme_domain.domains[0] }}"
          ssl:
            certificate: "/etc/letsencrypt/live/{{ acme_domain.domains[0] }}/fullchain.pem"
            certificate_key: "/etc/letsencrypt/live/{{ acme_domain.domains[0] }}/privkey.pem"
            trusted_certificate: "/etc/letsencrypt/live/{{ acme_domain.domains[0] }}/chain.pem"
            ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
            dhparam: "{{ nginx_config_dhparam }}"
            ecdh_curve: X25519:secp521r1:secp384r1
            prefer_server_ciphers: true
            protocols:
              - TLSv1.2
              - TLSv1.3
            session_cache:
              shared:
                name: "{{ acme_domain.domains[0] }}"
                size: 1M
            session_tickets: false
            session_timeout: 1d
            ocsp: true
            ocsp_cache:
              name: cache
              size: 64k
            stapling: true
            stapling_verify: true
            ocsp_responder: http://r3.o.lencr.org
          headers:
            add_headers:
              - name: Strict-Transport-Security
                value: '"max-age=7776000"' 
                always: true
      - template_file: http/default.conf.j2
        deployment_location: "/etc/nginx/conf.d/http_{{ acme_domain.domains[0] }}.conf"
        backup: false
        config:
          servers:
            - core:
                server_name: "{{ acme_domain.domains[0] }}"
                listen:
                  - address: "{{ ansible_default_ipv4.address|default(ansible_all_ipv4_addresses[0]) }}:80"
              log:
                access:
                  - off
              locations:
                - location: /
                  rewrite: # https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite
                    return:
                      url: "https://{{ acme_domain.domains[0] }}$request_uri"
                      code: 301
                - location: /.well-known/acme-challenge/
                  core:
                    alias: /var/www/html/.well-known/acme-challenge/
                    try_files:
                      files: $uri
                      code: =404