---
acme_email: acme@example.com
acme_domains:
  - { domain: "{{ inventory_hostname }}", provider: namecheap }

nginx_config_dhparam: /etc/ssl/dhparams.pem
nginx_config_http_template_enable: true
nginx_config_http_template:
  - template_file: http/default.conf.j2
    deployment_location: "/etc/nginx/acme_{{ acme_domains[0].domain }}.conf"
    backup: false
    config:
      core:
        server_name: "{{ acme_domains[0].domain }}"
      ssl:
        certificate: "{{ acme_path }}/certificates/{{ acme_domains[0].domain }}.crt"
        certificate_key: "{{ acme_path }}/certificates/{{ acme_domains[0].domain }}.key"
        trusted_certificate: "{{ acme_path }}/certificates/{{ acme_domains[0].domain }}.issuer.crt"
        ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        dhparam: "{{ nginx_config_dhparam }}"
        ecdh_curve: X25519:secp521r1:secp384r1
        prefer_server_ciphers: true
        protocols:
          - TLSv1.2
          - TLSv1.3
        session_cache:
          shared:
            name: "{{ acme_domains[0].domain }}"
            size: 1M
        session_tickets: false
        session_timeout: 1d
        ocsp: true
        ocsp_cache:
          name: cache
          size: 64k
        stapling: true
        stapling_verify: true
        ocsp_responder: http://r3.o.lencr.org
      headers:
        add_headers:
          - name: Strict-Transport-Security
            value: '"max-age=7776000"' 
            always: true