Add http2 to default listen args

roles/ingress/defaults/main.yml

@@ -21,11 +21,15 @@ ingress_container_networks:
 ingress_container_certbot_email: rehashedsalt@cock.li
 
 # General Nginx configuration
-ingress_listen_args: "443 ssl"
+ingress_listen_args: "443 http2 ssl"
+ingress_resolver: 8.8.8.8
 # This non-obvious setting controls whether directives for certificates will be added to hosts
 # Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using
 # a custom container that *doesn't* automatically-provision LE certs
 ingress_listen_tls: yes
+ingress_tls_protocols: TLSv1.2 TLSv1.3
+ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ingress_tls_prefer_server_ciphers: "off"
 
 # Vhost configuration
 # ingress_servers:

roles/ingress/templates/vhosts.conf.j2

@@ -3,7 +3,7 @@ server {
 {% if loop.index == 1 %}
 	listen {{ ingress_listen_args }} default_server;
 {% else %}
-	listen {{ ingress_listen_args }} ssl;
+	listen {{ ingress_listen_args }};
 {% endif %}
 	server_name {{ server.name }};
 
@@ -13,6 +13,11 @@ server {
 	ssl_certificate_key /etc/letsencrypt/live/{{ ingress_servers[0].name }}/privkey.pem;
 	ssl_trusted_certificate /etc/letsencrypt/live/{{ ingress_servers[0].name }}/chain.pem;
 	ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_protocols {{ ingress_tls_protocols }};
+	ssl_ciphers {{ ingress_tls_ciphers }};
+	ssl_prefer_server_ciphers {{ ingress_tls_prefer_server_ciphers }};
 {% endif %}
 
 {% if server.directives is defined %}
@@ -49,5 +54,6 @@ server {
 {% endfor %}
 {% endif %}
 
+	resolver {{ ingress_resolver }};
 }
 {% endfor %}