class nginx::ssl(
  $session_timeout = '5m'
) {
  include ssl
  include ssl::snakeoil

  class { 'certbot':
    #pre_hook    => '/usr/sbin/service nginx stop',
    #post_hook   => '/usr/sbin/service nginx start',
    post_command => '/usr/sbin/service nginx restart',
  }

  #package { 'python-certbot-nginx':
  #  ensure: present,
  #}

  # See https://weakdh.org/
  ssl::dhparams { 'nginx-2048':
    notify  => Service['nginx'],
  }

  nginx::config {
    # SSL
    'ssl_session_timeout':       value => "ssl_session_timeout ${session_timeout};";
    'ssl_protocols':             value => 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
    #'ssl_ciphers':               value => 'ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;';
    # See https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites
    'ssl_ciphers':               value => 'ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256;';
    'ssl_dhparam':               value => 'ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;';
  }

  # Already in default config
  nginx::config { 'ssl_prefer_server_ciphers':
    value  => 'ssl_prefer_server_ciphers on;',
    ensure => absent,
  }
}