{% set domain_name      = item.nginx_domain_name %}

    # concatenated key + cert
    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
    ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
    ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;

    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:1m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols {{ nginx_tls_protocols }};
    ssl_ciphers "{{ tls_cipher_suite }}";
    ssl_prefer_server_ciphers on;

    # Enable this if you want HSTS (recommended, but be careful)
    #add_header Strict-Transport-Security max-age=15768000;