{%- from slspath ~ '/../map.jinja' import listen_ips -%}

nginx:
  snippets:
    robots:
      - location /robots.txt:
        - root: /srv/www/htdocs
    tls:
      - ssl_session_timeout: 1d
      - ssl_session_cache: shared:Lysergic:10m
      - ssl_session_tickets: 'off'
      - ssl_protocols: TLSv1.3
      - ssl_prefer_server_ciphers: 'off'
      - add_header: Strict-Transport-Security "max-age=63072000" always
      - ssl_stapling: 'on'
      - ssl_stapling_verify: 'on'
      - ssl_trusted_certificate: /etc/ssl/ca-bundle.pem
    php-fastcgi:
      - 'location ~* \.php$':
        - fastcgi_index: index.php
        - fastcgi_pass: unix:/run/php-fpm/php-fpm.sock
        - 'include': fastcgi_params
        - fastcgi_param: SCRIPT_FILENAME $document_root$fastcgi_script_name
    {%- if listen_ips | length %}
    listen:
      {%- for ip in listen_ips %}
      - listen: {{ ip }}:443 ssl http2
      {%- endfor %}
    {%- endif %}