--- # file: roles/nginx/defaults/main.yml # path config nginx_confd_path: /etc/nginx/conf.d # parent directory of vhost roots nginx_root_prefix: /var/www # 1 hour timeout nginx_ssl_session_timeout: 1h # 10MB -> 40,000 sessions nginx_ssl_session_cache: shared:SSL:10m # 1400 bytes to fit in one MTU (default is 16k!) nginx_ssl_buffer_size: 1400 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem nginx_ssl_protocols: 'TLSv1.2 TLSv1.3' # DNS resolvers for OCSP stapling (default to Cloudflare public DNS) # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]' # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year # in seconds, see: https://hstspreload.org/ nginx_hsts_max_age: 31536000 # install acme.sh? # True unless you're in development and using "localhost" + snakeoil certs use_letsencrypt: True # Directory root for Let's Encrypt certs letsencrypt_root: /etc/ssl # Location where to save initial acme.sh script. After installation the script # will automatically create its home in the /root/.acme.sh directory (including # a copy of the script itself). The initial script is not needed after. letsencrypt_acme_script_temp: /root/acme.sh letsencrypt_acme_home: /root/.acme.sh # stable is 1.20.x # mainline is 1.21.x nginx_version: mainline # vim: set ts=2 sw=2: