roles/nginx: Add HSTS check to vhost template

We need to actually check if HSTS was requested before setting the
header in the block handing PHP requests. We check in the main vhost
block, but nginx headers are only inherited if you don't set ANY
headers in child blocks (ie, headers set in parent blocks are cleared
if you set any new ones in the child).

Signed-off-by: Alan Orth <alan.orth@gmail.com>

roles/nginx/templates/vhost.conf.j2

@@ -1,6 +1,8 @@
 {% set domain_name      = item.nginx_domain_name %}
 {% set domain_aliases   = item.nginx_domain_aliases | default("") %}
 {% set use_https        = item.use_https | default("no") %}
+{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
+{% set enable_hsts      = item.nginx_enable_hsts | default("no") %}
 {% set has_wordpress    = item.has_wordpress | default("no") %}
 
 {% if use_https == "yes" %}
@@ -69,7 +71,7 @@ server {
         fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
         fastcgi_no_cache $http_pragma $wordpress_logged_in;
 
-        {% if use_https == "yes" %}
+        {% if use_https == "yes" and enable_hsts == "yes" %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/