roles/nginx: Parameterize HSTS header

This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/

roles/nginx/defaults/main.yml

@@ -20,6 +20,10 @@ nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
 nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
 
+# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
+# in seconds, see: https://hstspreload.org/
+nginx_hsts_max_age: 31536000
+
 # install acme.sh?
 # True unless you're in development and using "localhost" + snakeoil certs
 use_letsencrypt: True

roles/nginx/templates/https.j2

@@ -51,5 +51,5 @@
     # Enable this if you want HSTS (recommended, but be careful)
     # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
     # See: https://hstspreload.appspot.com/
-    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+    add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
     {% endif %}

roles/nginx/templates/vhost.conf.j2

@@ -98,7 +98,7 @@ server {
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
         {% endif %}
 
         include extra-security.conf;

roles/nginx/templates/wordpress.j2

@@ -9,7 +9,7 @@
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
         {% endif %}
     }
 
@@ -20,7 +20,7 @@
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
         {% endif %}
     }