class nginx::ssl(
  $session_timeout = '5m'
) {
  include ssl
  include ssl::snakeoil
  include certbot

  #class { 'certbot':
  #  pre_hook  => '/usr/sbin/service nginx stop',
  #  post_hook => '/usr/sbin/service nginx start',
  #}

  #package { 'python-certbot-nginx':
  #  ensure: present,
  #}

  # See https://weakdh.org/
  ssl::dhparams { 'nginx-2048':
    notify  => Service['nginx'],
  }

  nginx::config {
    # SSL
    'ssl_session_timeout':       value => "ssl_session_timeout ${session_timeout};";
    'ssl_protocols':             value => 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
    'ssl_ciphers':               value => 'ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;';
    'ssl_dhparam':               value => 'ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;';
  }

  # Already in default config
  nginx::config { 'ssl_prefer_server_ciphers':
    value  => 'ssl_prefer_server_ciphers on;',
    ensure => absent,
  }
}