class nginx::ssl(
  $session_timeout = '5m'
) {
  include ssl

  # See https://weakdh.org/
  ssl::dhparams { 'nginx-2048':
    notify  => Service['nginx'],
  }

  nginx::config {
    # SSL
    'ssl_session_timeout':       value => "ssl_session_timeout ${session_timeout};";
    'ssl_protocols':             value => 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
    'ssl_ciphers':               value => 'ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;';
    'ssl_prefer_server_ciphers': value => 'ssl_prefer_server_ciphers on;';
    'ssl_dhparam':               value => 'ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;';
  }

  # Certbot support
  file { '/var/www/certbot':
    ensure  => directory,
    owner   => 'root',
    group   => 'www-data',
    mode    => '0750',
    require => Package['nginx'],
  }

  package { 'certbot':
    ensure => present,
    require => File['/var/www/certbot'],
  }
}