{{ ansible_managed | comment }}

# default blank vhost
#
# clients asking for "example.com" should only get a response if we have
# a vhost serving that domain.
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    return 444;
}
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name _;

    # self-signed "snakeoil" certificate
    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;

    ssl_session_timeout {{ nginx_ssl_session_timeout }};
    ssl_session_cache {{ nginx_ssl_session_cache }};
    ssl_buffer_size {{ nginx_ssl_buffer_size }};
    ssl_dhparam {{ nginx_ssl_dhparam }};
    ssl_protocols {{ nginx_ssl_protocols }};
    ssl_ciphers "{{ tls_cipher_suite }}";
    ssl_prefer_server_ciphers on;

    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous
    # sessions. The fix for this is to setup a manual rotation mechanism:
    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
    #
    # Note that you'll have to define and rotate the keys securely by yourself. In absence
    # of such infrastructure, consider turning off session tickets:
    ssl_session_tickets off;

    return 444;
}