#!/usr/bin/env ansible-playbook
# vim:ft=ansible:

# Core container configuration
ingress_container_image: jonasal/nginx-certbot:latest
ingress_container_name: ingress

# Secondary container configuration
ingress_container_ports:
  - 80:80
  - 443:443
ingress_container_persist_dir: "/data/nginx-certbot"
ingress_container_config_mount: "/etc/nginx/user_conf.d"
ingress_container_timezone: America/Chicago

# Network configuration
ingress_container_networks:
  - name: web
    aliases: [ "ingress" ]

# Certbot configuration
ingress_container_certbot_email: rehashedsalt@cock.li

# General Nginx configuration
ingress_listen_args: "443 http2 ssl"
ingress_resolver: 8.8.8.8
# This non-obvious setting controls whether directives for certificates will be added to hosts
# Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using
# a custom container that *doesn't* automatically-provision LE certs
ingress_listen_tls: yes
ingress_tls_protocols: TLSv1.2 TLSv1.3
ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ingress_tls_prefer_server_ciphers: "off"
# Escape hatch for a bunch of directives
# Defaults here are for general-purpose use, like compression
ingress_directives:
  - gzip on
  - gzip_comp_level 5
  - gzip_min_length 256
  - gzip_proxied any
  - gzip_vary on
  - gzip_types
      application/javascript
      application/json
      application/wasm
      application/xhtml+xml
      image/x-ms-bmp
      image/svg+xml
      image/x-icon
      text/css
      text/plain
      text/xml

# Vhost configuration
# ingress_servers:
#   - name: example.com
#     proxies:
#       - location: /
#         pass: http://some-container:80
#     locations:
#       - location: "^~ /.well-known"
#         contents: |
#           location = /.well-known/carddav { return 301 /remote.php/dav/; }
#           location = /.well-known/caldav  { return 301 /remote.php/dav/; }
#           location ^~ /.well-known        { return 301 /index.php$uri; }
#           try_files $uri $uri/ =404;
#   - name: redirect.example.com
#     directives:
#       # NOTE: Do NOT suffix with a semicolon; that gets added for you
#       - "return 301 $scheme://example.com$request_uri"
ingress_servers: []