roles/nginx: Move HTTP Strict Transport Security toggle to vhosts

This is really a per-site setting, so it doesn't make sense to have
a role default. Anyways, HSTS is kinda tricky and potentially dang-
erous, so unless a vhost explicitly sets it to "yes" we shouldn't
enable it.

Note: also switch from using a boolean to using a string; it is st-
ill declarative, but at least now I don't have to guess whether it
is being treated as a bool or not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>

roles/nginx/defaults/main.yml

@@ -16,10 +16,6 @@ nginx_ssl_buffer_size: 1400
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
 
-# Enable HTTP Strict Transport Security?
-# True on production, False on development!
-nginx_enable_hsts: True
-
 # TLS key directory
 tls_key_dir: /etc/ssl/private
 

roles/nginx/templates/https.j2

@@ -1,4 +1,6 @@
 {% set domain_name      = item.nginx_domain_name %}
+{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
+{% set enable_hsts      = item.nginx_enable_hsts | default("no") %}
 
     # concatenated key + cert
     # See: http://nginx.org/en/docs/http/configuring_https_servers.html
@@ -28,7 +30,7 @@
     # of such infrastructure, consider turning off session tickets:
     ssl_session_tickets off;
 
-    {% if nginx_enable_hsts == True %}
+    {% if enable_hsts == "yes" %}
     # Enable this if you want HSTS (recommended, but be careful)
     # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
     # See: https://hstspreload.appspot.com/