make hsts static; make iptables optional; remove some vars

defaults/main.yml

@@ -42,6 +42,7 @@ nginx_gzip_types:
   - text/css
   - application/xml
 
+nginx_iptables_enabled: False
 nginx_open_ports:
   - 80
   - 443
@@ -56,11 +57,6 @@ nginx_tls_source_use_files: True
 nginx_tls_cert_source: mycert.pem
 nginx_tls_key_source: mykey.pem
 
-nginx_pfs_enabled: False
-nginx_dhparam_size: 4069
-nginx_dhparam_file: "{{ nginx_tls_certs_dir }}/dhparam-{{ nginx_dhparam_size }}.pem"
-
-nginx_hsts_enabled: False
 nginx_hsts_options:
   - nginx_hsts_max_age=63072000
   - includeSubDomains

tasks/install.yml

@@ -81,6 +81,7 @@
       name: allow_nginx_ports
       state: present
       rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
+    when: nginx_iptables_enabled
   become: True
   become_user: root
 

tasks/tls.yml

@@ -35,19 +35,3 @@
     when: nginx_tls_source_use_files
   become: True
   become_user: root
-
-- block:
-  - name: Register dhparam file
-    stat:
-      path: "{{ nginx_dhparam_file }}"
-    register: __nginx_dh_file
-
-  - name: Generate Diffie-Hellman parameter file
-    shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
-    async: 3600
-    poll: 60
-    when: not __nginx_dh_file.stat.exists
-    notify: __nginx_reload
-  become: True
-  become_user: root
-  when: nginx_pfs_enabled

templates/etc/nginx/conf.d/header.conf.j2

@@ -1,8 +1,6 @@
 # {{ ansible_managed }}
 # default header settings
-{% if nginx_tls_enabled and nginx_hsts_enabled %}
 add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
-{% endif %}
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";