{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name       = item.domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to true #}
{% set enable_hsts       = item.enable_hsts | default(false) %}

    {# first, check if the current vhost has a custom cert (perhaps self-signed) #}
    {% if item.tls_certificate_path is defined and item.tls_key_path is defined %}

    # concatenated key + cert
    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
    ssl_certificate {{ item.tls_certificate_path }};
    ssl_certificate_key {{ item.tls_key_path }};

    {# otherwise, assume host is using letsencrypt #}
    {% else %}

    # concatenated key + cert
    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
    ssl_certificate {{ letsencrypt_root }}/certs/{{ domain_name }}.fullchain.pem;
    ssl_certificate_key {{ letsencrypt_root }}/private/{{ domain_name }}.key.pem;

    {% endif %}

    ssl_session_timeout {{ nginx_ssl_session_timeout }};
    ssl_session_cache {{ nginx_ssl_session_cache }};
    ssl_buffer_size {{ nginx_ssl_buffer_size }};

    ssl_dhparam {{ nginx_ssl_dhparam }};
    ssl_protocols {{ nginx_ssl_protocols }};
    ssl_ciphers "{{ tls_cipher_suite }}";
    ssl_prefer_server_ciphers on;

    {# OSCP stapling only works with real certs #}
    {% if use_letsencrypt == true or item.tls_certificate_path %}
    # OCSP stapling...
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver {{ nginx_ssl_stapling_resolver }};
    {% endif %} {# end: use_letsencrypt #}

    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous
    # sessions. The fix for this is to setup a manual rotation mechanism:
    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
    #
    # Note that you'll have to define and rotate the keys securely by yourself. In absence
    # of such infrastructure, consider turning off session tickets:
    ssl_session_tickets off;

    {% if enable_hsts == true %}
    # Enable this if you want HSTS (recommended, but be careful)
    # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
    # See: https://hstspreload.appspot.com/
    add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
    {% endif %}