fix some standards

defaults/main.yml

@@ -58,6 +58,11 @@ nginx_tls_source_use_files: True
 nginx_tls_cert_file: mycert.pem
 nginx_tls_key_file: mykey.pem
 
+nginx_tls_ciphers:
+  - ECDHE-ECDSA-CHACHA20-POLY1305
+  - ECDHE-ECDSA-AES128-GCM-SHA256
+  - ECDHE-ECDSA-AES128-SHA
+
 nginx_tls_ocsp_enabled: False
 # nginx_tls_ocsp_trusted_certificate: # defaults to not set
 

handlers/main.yml

@@ -1,9 +1,8 @@
 ---
-- name: reload nginx
+- name: Reload nginx
   systemd:
     state: reloaded
     name: nginx
-  listen:
+  listen: __nginx_reload
-    - __nginx_reload
   become: True
   become_user: root

meta/main.yml

@@ -1,3 +1,4 @@
+# Standards: 0.1
 ---
 galaxy_info:
   author: xoxys

tasks/tls.yml

@@ -1,3 +1,4 @@
+---
 - block:
     - name: Copy certs and private key (content)
       copy:

templates/etc/nginx/conf.d/tls.conf.j2

@@ -1,13 +1,12 @@
 # {{ ansible_managed }}
-# certificate settings
+ssl_ciphers '{{ nginx_tls_ciphers | join(":") }}';
-ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA';
 ssl_prefer_server_ciphers on;
 
 ssl_protocols TLSv1.2;
 ssl_session_cache shared:SSL:10m;
 
-{% if nginx_tls_enabled and nginx_tls_ocsp_enabled %}
+{% if nginx_tls_ocsp_enabled %}
 ssl_stapling on;
-ssl_trusted_certificate /pfad/bundle.ca.pem;
+ssl_trusted_certificate {{ nginx_tls_ocsp_trusted_certificate }};
 ssl_stapling_verify on;
 {% endif %}