---
nginx_official_repo_enabled: True
nginx_user: nginx
nginx_group: nginx
nginx_worker_processes: 1
nginx_worker_connections: 1024
nginx_error_log:
  enabled: True
  file: /var/log/nginx/error.log
  level: error
nginx_access_log:
  enabled: True
  file: /var/log/nginx/access.log
  format: main

nginx_client_body_buffer_size: 10k
nginx_client_header_buffer_size: 1k
nginx_client_max_body_size: 8m

nginx_client_body_timeout: 60
nginx_client_header_timeout: 60
nginx_keepalive_timeout: 65
nginx_send_timeout: 60
nginx_reset_timedout_connection: True

nginx_gzip_enabled: True
nginx_gzip_comp_level: 2
nginx_gzip_min_length: 1000
nginx_gzip_proxied:
  - expired
  - no-cache
  - no-store
  - private
  - auth
nginx_gzip_types:
  - text/plain
  - application/x-javascript
  - text/xml
  - text/css
  - application/xml

nginx_iptables_enabled: False
nginx_iptables_rules_default:
  - name: allow_nginx_ports
    rules: |
      -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
    state: present
nginx_iptables_rules_extra: []

nginx_tls_enabled: False
nginx_tls_versions:
  - TLSv1.2

# @var nginx_tls_cert_source:description: Source has to be a file.
# @var nginx_tls_cert_source: $ "_unset_"
# @var nginx_tls_key_source:description: Source has to be a file.
# @var nginx_tls_key_source: $ "_unset_"

# @var nginx_tls_cert_file:description: Set the destination filename.
nginx_tls_cert_file: mycert.pem
# @var nginx_tls_key_file:description: Set the destination filename.
nginx_tls_key_file: mykey.pem
# @var nginx_tls_dhparam_file: $ "_unset_"
nginx_tls_dhparam_size: 2048

nginx_tls_ciphers:
  - ECDHE-RSA-AES256-GCM-SHA512
  - DHE-RSA-AES256-GCM-SHA512
  - ECDHE-RSA-AES256-GCM-SHA384
  - DHE-RSA-AES256-GCM-SHA384
  - ECDHE-RSA-AES256-SHA384
# @var nginx_tls_ecdh_curve: $ "_unset_"

nginx_tls_ocsp_enabled: False
# @var nginx_tls_ocsp_trusted_certificate: $ "_unset_"

nginx_tls_hsts_enabled: False
nginx_hsts_options:
  - max-age=63072000
  - includeSubDomains

nginx_xfo_enabled: True
nginx_xfo_policy: deny

nginx_xcto_enabled: True
nginx_csp_enabled: False
# @ var nginx_csp_options: $ "_unset_"
# @var nginx_csp_options:example: >
# nginx_csp_options:
#   - directive: frame-ancestors
#     parameters:
#       - https://example.com
#       - https://mypage.com

nginx_xxxsp_enabled: True
nginx_xxxsp_parameters:
  - mode=block

nginx_vhosts_dir: /var/www/vhosts

nginx_vhosts_default:
  - file: default
    servers:
      - port: 80
        server_name: "{{ ansible_fqdn }}"
        locations:
          - match: /
            root: /var/www/vhosts/default
            index: index.html

# @var nginx_vhosts_default:example: >
# nginx_vhosts_default:
#   - file: default
#     upstream:
#       name: my_pool
#       servers: []
#     servers:
#       - port: 80
#         server_name: demo.example.com
#         tls_redirect: False # skips locations if enabled
#         tls_redirect_url:
#         tls:
#           cert: /etc/pki/tls/..
#           key: /etc/pki/tls/..
#           dhparam:
#         client_max_body_size:
#         send_timeout:
#         locations:
#           - match: /
#             root: /var/www/vhosts/default
#             index: index.html
#             proxy_pass:
#             proxy_http_version: "1.1"
#             proxy_buffering: "off"
#             proxy_connect_timeout: 3600s
#             proxy_read_timeout: 3600s
#             proxy_send_timeout: 3600s
#             proxy_headers: []
#     error_page: /usr/share/nginx/html

nginx_vhosts_extra: []

nginx_server_names_hash_bucket_size: 32