---
# file: roles/nginx/defaults/main.yml

# path config
nginx_confd_path: /etc/nginx/conf.d

# parent directory of vhost roots
nginx_root_prefix: /var/www

# 1 hour timeout
nginx_ssl_session_timeout: 1h
# 10MB -> 40,000 sessions
nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!)
nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'

# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'

# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# in seconds, see: https://hstspreload.org/
nginx_hsts_max_age: 31536000

# install acme.sh?
# True unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: True

# Directory root for Let's Encrypt certs
letsencrypt_root: /etc/ssl

# Location where to save initial acme.sh script. After installation the script
# will automatically create its home in the /root/.acme.sh directory (including
# a copy of the script itself). The initial script is not needed after.
letsencrypt_acme_script_temp: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh

# stable is 1.20.x
# mainline is 1.21.x
nginx_version: mainline

# vim: set ts=2 sw=2: