globally define tls version and ciphers

group_vars/all.yml

@@ -1,3 +1,9 @@
 ---
+
+# mail settings
 mail_server: mail.foo.sh
 mail_domain: foo.sh
+
+# tls protocols and ciphers
+tls_protocols: TLSv1.2
+tls_ciphers: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

roles/nginx/server/templates/nginx.conf.j2

@@ -18,8 +18,8 @@ http {
 
     ssl on;
     ssl_session_cache builtin:1000 shared:SSL:10m;
-    ssl_protocols TLSv1.2;
-    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+    ssl_protocols {{ tls_protocols }};
+    ssl_ciphers {{ tls_ciphers }};
     ssl_prefer_server_ciphers on;
 
     server {

roles/rsync/server/templates/rsyncd-stunnel.conf.j2

@@ -6,5 +6,8 @@ client = no
 verify = 2
 CAfile = /etc/pki/tls/certs/ca.crt
 
+sslVersion = {{ tls_protocols }}
+ciphers = {{ tls_ciphers }}
+
 exec = /usr/bin/rsync
 execargs = rsync --daemon --config=/etc/rsyncd.conf