From 7956d09b3e0ce49118626d7e86579a2e32ec80e7 Mon Sep 17 00:00:00 2001
From: Alexander Dietrich <alexander@dietrich.cx>
Date: Sat, 3 Nov 2018 16:20:39 +0100
Subject: [PATCH] New nginx role

---
 basics.yml                                    |   7 +-
 host_vars/srv02                               |   1 +
 production                                    |   4 +
 roles/nginx/defaults/main.yml                 |   8 +-
 roles/nginx/files/error-pages/502.html        |  10 ++
 roles/nginx/files/error-pages/bad_gateway.png | Bin 0 -> 20660 bytes
 roles/nginx/files/error-pages/style.css       |   4 +
 .../files/etc/nginx/include/headers_hsts.conf |   4 -
 .../etc/nginx/include/letsencrypt_srv02.conf  |   5 -
 .../files/etc/nginx/include/no_logging.conf   |   7 -
 .../files/etc/nginx/include/no_symlinks.conf  |   1 -
 .../files/etc/nginx/include/ssl_rewrite.conf  |   4 -
 .../listing.conf => snippets/autoindex.conf}  |   0
 roles/nginx/files/snippets/error-pages.conf   |   5 +
 roles/nginx/files/snippets/header-hsts.conf   |   1 +
 .../location-acme-srv01.conf}                 |   1 +
 roles/nginx/files/snippets/location-acme.conf |   5 +
 .../no-unsafe-files.conf}                     |   3 +-
 roles/nginx/handlers/main.yml                 |   5 -
 roles/nginx/tasks/main.yml                    |  49 ++++---
 roles/nginx/templates/letsencrypt.conf.j2     |   4 -
 roles/nginx/templates/nginx.conf.j2           | 124 ++++++++----------
 22 files changed, 122 insertions(+), 130 deletions(-)
 create mode 100644 roles/nginx/files/error-pages/502.html
 create mode 100644 roles/nginx/files/error-pages/bad_gateway.png
 create mode 100644 roles/nginx/files/error-pages/style.css
 delete mode 100644 roles/nginx/files/etc/nginx/include/headers_hsts.conf
 delete mode 100644 roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf
 delete mode 100644 roles/nginx/files/etc/nginx/include/no_logging.conf
 delete mode 100644 roles/nginx/files/etc/nginx/include/no_symlinks.conf
 delete mode 100644 roles/nginx/files/etc/nginx/include/ssl_rewrite.conf
 rename roles/nginx/files/{etc/nginx/include/listing.conf => snippets/autoindex.conf} (100%)
 create mode 100644 roles/nginx/files/snippets/error-pages.conf
 create mode 100644 roles/nginx/files/snippets/header-hsts.conf
 rename roles/nginx/files/{etc/nginx/include/letsencrypt_srv01.conf => snippets/location-acme-srv01.conf} (90%)
 create mode 100644 roles/nginx/files/snippets/location-acme.conf
 rename roles/nginx/files/{etc/nginx/include/no_dotfiles.conf => snippets/no-unsafe-files.conf} (71%)
 delete mode 100644 roles/nginx/templates/letsencrypt.conf.j2

diff --git a/basics.yml b/basics.yml
index 9a52ef0..58772c7 100644
--- a/basics.yml
+++ b/basics.yml
@@ -1,5 +1,5 @@
 ---
-- hosts: all
+- hosts: ffhh
   roles:
     - basics
     - ffhh-basics
@@ -9,3 +9,8 @@
   roles:
     - certsync
   tags: certsync
+
+- hosts: nginx
+  roles:
+    - nginx
+  tags: nginx
diff --git a/host_vars/srv02 b/host_vars/srv02
index 97c415a..d38f4b1 100644
--- a/host_vars/srv02
+++ b/host_vars/srv02
@@ -4,3 +4,4 @@ basics_autoupdate_origins:
   - o=TorProject,n=${distro_codename}
 hopglass_frontend_tls_crt: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/fullchain.pem
 hopglass_frontend_tls_key: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/privkey.pem
+nginx_resolver: 127.0.0.1
diff --git a/production b/production
index 05513d0..0786974 100644
--- a/production
+++ b/production
@@ -10,11 +10,15 @@ srv03
 [hopglass-frontend]
 srv02
 
+[nginx]
+gw03-new ansible_host=gw03-new.hamburg.freifunk.net
+
 [updates]
 srv01
 srv03
 
 [vms]
+gw03-new
 srv01
 srv02
 srv03
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 3640390..f4915de 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -1,2 +1,6 @@
-letsencrypt_webroot: /var/www/letsencrypt
-nginx_resolver: 127.0.0.1 [::1]
+---
+nginx_access_log: "off"
+nginx_error_log: "/dev/null error"
+nginx_package: nginx
+nginx_worker_connections: 512
+nginx_worker_processes: auto
diff --git a/roles/nginx/files/error-pages/502.html b/roles/nginx/files/error-pages/502.html
new file mode 100644
index 0000000..16fdca7
--- /dev/null
+++ b/roles/nginx/files/error-pages/502.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>502 Bad Gateway</title>
+  <link rel="stylesheet" href="/_error-pages/style.css">
+</head>
+<body>
+  <img src="/_error-pages/bad_gateway.png" alt="Bad Gateway Sign" class="singleton">
+</body>
diff --git a/roles/nginx/files/error-pages/bad_gateway.png b/roles/nginx/files/error-pages/bad_gateway.png
new file mode 100644
index 0000000000000000000000000000000000000000..1bfdffa8c80d9b8533ead4a68efdb2aae32cc9c7
GIT binary patch
literal 20660
zcmc$`WmJ?=`{+H)z|bJlAc7!*w19-93P^Xiq;xYhGa?4vU5a$a&@rIoP|`ghB`qLb
z@2$`OIcvS|d%m1chqYL<=AJ!!U%RjPUGqs@^%XGz9RUagB36)>(FB3O`XCV28$2lR
zB>Ye44)B8Q@j^ix5BLkfv-$|U$9I)C@Bm(>|Ndk3<TRE64{1GR^*yy*Y&>DF-K{||
z7>vix*}=o|wW~Fci@R<5o;V!{!~{~1d9Lk~vAY2Cp_rJ${k@+bC;h8csbW-29+&Jn
zihu(zjF|JwPf|)8?e9@xc;2NsIhtQT{xQu{(2({ce1Hwce|UN0Hh_Ml+*l*lEY^G;
zl*Ja^ASUJ^oVp<DvDdoMWKMp1H{m5T4HfzbWY0owz5K!s)P>cs^NfUyj4U>qA1edf
zm4@fud-}Ph?q@RQnI#e=Gj5;?2;-^vsw`2{19IVxP*srP><=bpX67$U&j^-ap!Oy4
zAdh3|VqvkWd*+S7J;;x!5YQfW3?@C~E>LSI+zNzYx=U{2R5j60m<ZuIWh^A7mg|f(
zDs74S`0*qA_r~RJN10_=JtId=UxZ!Gs_7>YW0ZUYACdIeVU>qKLj)?$p!nrZt@0BQ
z+uF~s;cKQJ-@7j3f^>Eq8GsfvdfhEazqmGQ2q_7p+<7~XT`f7_*ol_bO$e!5=;R*u
z<Sy8I2bUxR6qO0(=P#?z1e)z-WHy%W>y&Q%DLqIa9ls?#MkgIoEN%7f(0K^*Yhw#;
zhRhl#s+=cu6E;4(M_}@n{uC5%izSc*>4{IEmz9x`S!I_c1hpDMPQ4*%Q<{DXP-B`U
z`)C(;NjIIp5^gVb27s#M{Eb^^Y0hyfJ;N<ZJ^}5%kf}*S6(XdQyYtgc!6SncScDRc
z1607ky<(Lyhrr+Z`HOmx_;}ytvr9_me)PBZWDDsKMpB%9il_5j_&kE1$ex>0-0D+7
zIdgHMw<S`ySX+zer7)mw_YX5A2su)a!wvs@>7Dtr-Xp{<Y2|#lD=vJ`ufn*B_|1`s
z>#wgBDy)C2W$1~ApS(n1glU|;Tm8wL`z{!%K@Davu*<(WgA$RZRj2GD7I>~dBQgj7
zQ~rDfVZDNI;M{av>b~zO?UhXE+-Ht_uJ;RDFV%UeT#v^1?_}(G3sL?OhBkN_*g~j_
zEgn3>GB9~Z<|FT7%XkegoqZk5@^2UhPp(l$V?;t96H@xuvOctY?4|{2h}Jh|U}^6V
z-jmD=S}K&!aUfqx+J@&pMG&yUTYS0dvi?q-n&ucB(v!z`@y8mKF(KV#s;l@i_6qg6
zNIHvVuwX0}7bo{lsLcpoIcRAraq?|R6fxqIF|oK1m@*kv3P!?lc3vqM40<C;B!2LD
zfJQskhbpCs<`+ixXp_cRIv%fKM9~FTid)BJCo>c7yYio2y(!X!rkoS->DMQ9P6QcS
z{QgQ<#=P``ymdp*QA<od+z^%gjk^r<^6$E!;Yp^T*qv5)x=ftIsyEtD5KfZ=u@@cB
zSB;_CdnQQu?U_P2|IUCD4>g}n%xv8!+dKyi|5xm^Si%Gj60nCFyC9q+ECz~P37`}+
zn}aDKyOFY!(Sm+oBr_S@8=jc(rS52!67jJlDdOJ>QSqwKnBzGp9U|w!uOxUQksM&^
zw1IO}<n#)Vhk}5Bwa^K+p0THe!xH1sv2kl<RlJ*FSpf_tdq!cm5VT73-SBd3_(I6v
z(sDZ=ooLK~nI!Xdm4mPO(*wmm-up(2Ma9DPS7;XRcS1y!e;<nTh5XwG()a%J+CfJ9
zx5O9MpC3WtChz`MrYh3=Z?oA9{Ht+hfEFuh-|6q+;ZEdD_V;)I9?^0^_5Zc}pJxAG
zg`zruvdq<~0{r^_X|(z^{9mITz}GNy(!lptX@>ABX<q+bdo;^Tu)pQgpZt@^O5hdt
z-<oBXzms86k^gH%RRkIi$lhx+)NB3(1(f~5_cH>7J{7tHR3Q3Z0L&%#A7TEd9O8eC
z1@-6uN^Xm-AMtkt*dzG<*1%j%i`z*4-@g3+h5C=gRs#R+3k(1MM<|(@s_>Y<LWTUd
zo9q#;F=9ZCv4a`09fz&Ne>)Mi903X^qXM3WlKmSn8KD)LzXQ&kF3J+}znQ52447m0
zlYh+#dB{Qkr<<XaHvgGG5$1p6M4@_*%=|w?w)`$+{_p;Dw0Y%7zUILa-~u5#|K-T>
zd#W9k>Y*3J^A&PXCEX^H<M<@!1%6I|+ad)SS*jbbP)2ySDd*rlQg}O0j=uk0zj@)H
zH6_q72ZXo;Y#j!zWAN<yGKd-@AFSV=$MbQjyq&X5UOhrZE5Y-O;9kve6I{4*{rNV*
zDo)x2_N*|-uO3>Qd=zZ->EjDx2p6Pp13}yzvOu6w0v>4<<@@cIV-sp#{|F}Pp}H$x
zsM&q%RP}9?8^u<G$W8(m*-e^d2i#9-Hx0^4ClV}%icjJ;v`XBecMA3g>Lcqh5B<n+
z3wF5zjnm<I(m_iX$#$qT3TON&8a91%cF9o*IEy%XhC(|~XatV^BIK$P&y~}v<KxH9
zOaU9Ri^ccG*2{7^T`VY+8^81WUU|7ke0~J#{!G8O6>k}AF&axzKcwrIQ9opE89sbu
zrx0O5S-e|I<Xs07Lm|y1&}P<E?N7D{`u7mtAQEF`(t#%%Wsve#wI=3IAKf{lItbkS
zqrqkOae{)$3(Z)k%O0@JG*SOL7q7h4Uy2Uop#60y`1`y@8bgAR3aX5}CP@)T2Q*Xf
zLH8OLZ+9PjLDjI-zJ^m;0q2U5P1mJ#o@R$Lv1rGIiS(2$eC%<D!^>ILr9C}_QZnMk
z<n2_Hxk#X{bI`!U?9*VQkL;dqL`jf)V#M<oamM59Fr%Yn<#%{Cu8FKH<TQdLDQ#TS
z+z*%uxBw|xfIBg_jli3eJ>^D%<j=k3(gAt7e5>loT>@{Vj~~GwEGr$|U*Q(H@0P84
zj84?=(^Q_jEV;jjUHUq3@D<XlH`bmyeID`LdyB2dHiX^Gs;8t9Pqdw{ApQBBdHws3
zy|*Gz^rO=Skf-CD;WkapJc@7WT6t+Lly=E*Hw<tmA`7@Fp2-CeIL>TeZ!1w_IXhwr
zmXnOLlRo^8r4f7gj8O$!_ZEk1cJ=xRAfWge$?tFBi}kS|*|kOf?U+u*7vdu&$g8WC
zd%vV~-}2~~4dR-%n<dSEo`1c-v-B;y)!%7B5rsYl2_wPGM3ND(D`9%qUDc)IeK;+;
zjG8jDiH2r`vf*<o%!!qmfHI0EME1fD3Du3j4WrZ!9_;d5N~XMVAQv6B+(+xPaeiS&
zkioFF+4|Go%5@|b<UfUHn?i%`6H{<6nHce!)ZIK|{-O??o}BlZ@UDxTS(lnO5b}iW
zo1zX^Q}^AIL>)?bGqu^V^e^u7+1$CaVolOyt3<11?NzlA93`KW2ps2b+?{uRR6Y1@
zu6Deu=T_Efyb?k?S;regogz%~Mgx6nnamC4^3|hassDMr-)QrIEL7O0@<s3M9`@n)
zLMQ*<*i(-Oh@&!-^6a!_8@~EiD0p4Ys(-n|cchb389IaTC&3~Vnx29(GZ*~b^ZxYi
zp`)^J@8gMjOo6&W+Kai)Na_4g<&oULo%G$UBF)E3;mebz-<)4C6WIPcr5|rwE&u%W
zPH}P7tldQ$Q|Aiit8TxY9nB5BDoksolix6hF%xLr3!$_qr4Wz^?g-vxvekd{07W;7
zzLk|Uqc3gSP4$?>-5@7hd&DJ3CmniJ;zC~{VyZNe>VdkkMD<yn!;-+hi0L;>X7|)v
znAFP~T6>NsJ_(?ru1EJ0w3(hM&Ke>k2H@c*=R_n?HAVcBs-b8cqP;!L2}pW3Ogg;@
zRb6I3$BQ8_hLyECiDW(8u+t=nImD>Qy;B+*YtX0d(XV=_{=L)ovGG?k=#41Rjwn}l
z=n-|EscD;t!S!;Q=Hf61>urB8c2q{(+g95lEb7s<gJ1IJmuuniN6qeb=fXIQgpu!4
z9uh7Dg$8g5rupa+yyTh1=E6LhXwjkQ<)ogSrL-QHj^u`49ke04imi<hF2T4qWl)mL
zaSRWSZui55ANL!|Oy1xaT}BtV%vIVifie4L+ERKgMY)M%ZMi7YaD=sy)f!~Ni$;k8
zyk*R?VK?<ix<GCbhnn0LoINmflk!7!W3$W-IOk@Ek!83o$1%qztDa{RzrQh?uX7mS
zUA;)Vsq?k40?Q;nI`l2noou#jlOR6x{(SE3R)zWrD^1LKBH%#zdo=lCSdIQM;;YHY
zJ@7@8#@tDw|C+HDGANlVq0N!A(z&2?{B`$Q9Q{W_O1NKQ-dvl3%5nI0|E^|<YM0)y
zLH6@f`wRZ1377G@%qRW6!Y6R8zc+9{2}h6{WHI=Y;|yU$7Wk^Ev-t^s-^SX@CU-GD
z-#V-MXTs16FKlNgP8^<V>n@?C8HFt+A`|&|-c^GV_;Nf#_<n<C)%<2uh9;&?hv62<
zQZOpJ+JjlINakJ2Giu>HcNJF%qH@OWR!de^ji%DHTkMyC=YB%HUzm(0m4|Bb5*pN{
zz%B=>z1e<ulcFN5w`AY&=A*j;W^|WAhv6s3h}ZQ-6)k4<cPp1!kWN$kaUc|r78T8{
zL_RMht7))pWzeMH<TN@g!Mbq3cqj&+$wdXn`^uqJ!nuClb4QG0<(}EK+)$pR6a3O8
zfu4XRvIIS7^wZ$TGVm6c&pzi^sQ7G07>RLMP#hvE2a&jwiiQgnIq8)*9P`9{r7%b7
z=X97a^{}20ORF|N#8Pg5B7J-lM_FTJPxl)&C!O9?R)I-b8&PN^Z@n>i{C?B3IF%0N
z_e7oT@{(^Ph<)Uk*1RwKWMb@@hbqrd=6kHc5AU408zF3PF*&sVncJshg4--ACuoxt
zu4e$jbeq|=7qFe9Pir)7z7K>79x<cGl4oGz(%?YKDHDgA%oZO3;P!Lfrw49LKa$LZ
z^p6hvIL?7HB9{#0IDd3n`u_C5M46_(;DohLiHThl5PQ3JGr{QTV(BwfH5kX|>#~r6
zymJJ`{@L@Q2B{}56N|a1-CTGUODPVX+>Hbeb-Y5&PUG~D5$<@a-ri8gK>vP)g#s|G
zF>M*Rf(>RoGB>sByg3uOsLD@mIP3@^Um<l^j3@rALGN+2igYe692TTK=i-@g5uquz
z{dv%gG(#YDzQ*r^XZq}e>*|Zf>4L}`58BkY=lf?Am6tIRPGfPKNjc4v(o08;7jwkF
zitE}<a1n#Sb7Mkk0!bwcORpN>ZK@=dDIEk1E&;qDnmROrDIOQTq9bc|$8Id%DUFKN
zDs4$|XP11g3oEF}){|OJbf{nsh7%Q@Emr@tArUy_p`PuBPhE$%*QwQ;8x}@YJkUy`
zPAgU$yo&G7ZtAb}%tdzZ@_D|s>WS!fv))`VbZRewO;6b*?r7&5wH@tLx~I>c|8nnZ
zsx}<ug#^ArgST#48jn365Ciu#%@OkC2v}5SGL$#H7DanCgGg!L58k9;qRJQD?-x+b
zQbkTiU+#>Q70uRpO!nfeS~N|m9L-L)#`PVZ{PcQ;)37YMdG`Rf-l+SFgv1Z2%Tt}E
zPWTkp=lkZZC)~fUY&%3xhS7*uJ-8dw9CwHNRk~qV{SB%nM4rCg;+4N<v3t{d0)mqT
z;8I)(^glc{tLGbv&g_czdm!UAE`#=fMreBNlW+94#7=3)E?S2-02=T)zE5+|Vuryy
zQ!y!`C`?Rj#^15|35oy<R}~~2txfv&{%%>_*P-%|!(|d1>fSIX_k%y(5|-A`==NQ&
zH?jeo2)mn>8;1|=gT^@Gw|1^`d~W#>ES_m!DK>Ry8`vs)Oxkq1ZD_5le_9~6DP8{T
z{Cad{8GpgG4d|cowgFQ4TW6fDj*CiW(^8KHieF)-OpjNFqU_1zZbX^MDR=lS8?n(g
z7P$zc@|yjI8`KkhlKM9SBdgD8ZNGkbfp0(}+x0XL-u%oTBh=h-lR2<n{S)oG1uI$Z
zSA<jU_N1oYOnylUPCBjH+KfiJ$SG1{(dnRXw7$g5N}?&-FOUXOiAw41H;ck>soSa(
z$(?FXLcUdr6({Wv9EDI0xl*e<etv|R?wNOsRv${PYbMvP{lnaxzZt<do(&!lZ;;#Z
zN?sVqgsx=w+Yr|zY4~{E_T<2AXnf$>M<Ocg<TU7j31`jMXGDoFQaPB7Q5(a>QyF2O
zz>)#?&VCv+&JiUYQ6org3SF|j6}sitypzDCcZ&BDwSIt6E)|e(mr&uk)+6|d?0Lt1
z)WxTn;0u_>+=f=Y>Gf<WV-1~tye)bmh%Zo*`pmE(iW=nUQm$*Xv;VElI;<5xC1CL0
zb=z~N0qq4v=|uk7;fZp*(rdhiqC^*`g9#WR@`GWaH@T{j#jyUwio#YrG(+5<k8s<3
zW;I^4Ew52aleM+=mZmbO-Y{%j>mA|QFNGo_%L#Zn3YiF(WH~O_pDYD=I%5k~;EWgH
zQS`Fm$P%t5!hc&lb3J?b`;;v8*)5vDA(XHE#$>CgFoRHv=OAca2hnn9icW6ems}kX
zRq$|`E70v7e(bIU$B}=~KLv%T*!N1GQe-~=!ELYLHb;eIg(P@It%t`?87n6{{w@#U
zXE{x#oP1;$(2APHz8kEdka!@VD<cPzFa$58V{vbTx(MW_4vMVKGr9D6sTDcbXh2Iv
z(GO!r`yT;U{7esKGHu`X#t&b&wJM<GBJxdADE(TE*$DdWK(T>v%~77T>End+En)YS
zLdsfM+5VI|D&*=skI_zlV<wwiIRo_=tNcO}X-d0l_f&CEwzZXF%&{Y8C;HU!aj;%Z
z`P6mK*S)lg<AHq6Nk`5YJpz3(1_)O=wufS{Ck3A!yX)}r;(qRPokoW};YXL$uL8J!
z@3Ej-h2`%QuuAF%5wP_x817G^(n%FnKKDqCwA1*_1}ks1rBHT2z9ziW0kq+)7MwRG
zdhPaq8VTdbe2(e+bVW>@2`a1q*s&z$UPfTw92Sym7vue2b8W;QiNC`u)kV<HRU{_X
z*Lc3Jo%*@(uuC$yb^Z$b^7MQtda`MvSvYyvD)LZIN-w|gs<xE4WyGuv{a!`8qC5C!
z1chMWvE=T?WvvEL<)km8xv#(*iR<c!k|XbwcU#0rMd>|vES9~vqiRgb&hy}vEmXor
z?X9;#_1ig3*{_AaLnN$p&uZewIkq6034*rpL^fzcYi7iA!J}`?7zo$IUWcU9csK0_
z2vq;Mb_tkoEx4K@tRid`cReDpxp1m2@%g*<*1ZKoH;q^nYTKGi0sU&cUx{nZ{=T`1
za&i@8vBj6wQx7AtBd4P-EEp`w{^+zlul?O8twN}NEZIdzRqF7DVqH(RY2(za=HsXR
z5C=(YXjD9*!;A&$@L-ba#c<pm(w2be3|M_MKj!92*8E7SIzzeA%1Uuim=bUjRZIQ0
z2uAMD;3bzfxGo^2hc^%^VIdoAS74(30txZYwwy~HumQ-llu)0jlUE*Y{oG~w=q9>_
zu+sagM0YaZ-L5aCWNTK&+0!LRA?UPh8+_E`EBr3k@ySv;S#@z|y4GO5S-ld!Y1NMz
zM#d2xZq$Wak*9;dzl2m8JKChk^<t-k3-J3Ghx6gx{mIHA&{EO5Qoziz`gZDT6UEAr
z*Mmg|PK7Cq76IDE5o6mn*ex-ssHp7og1g}`flaQvnn5y8(nN$t8^UE)%`L_Aq#|Os
z<OigzLN@shuS0+2rRm=9R{V1Dg-Mb#FV^3K`|ESg80vY@cKy?>Q2tvO8=pJ;*fN0|
zdUcaeL9Mg7r6x(LY{Zqimk~ytApN>8d;L<sS&QFJxAYu+Nf+cXr7%*esoEKDvJhfe
z{url}h8L5{vUhlWc|CEtD&VL~dt=c=l-S!?XMSW@efQl=<YWhVwRl=R+Wopg+ez7I
zlUe!_y2!vXBGM~?E#XU8c}m}SbTYN{$FvObpmk?v3SMqc?VI?#T(@bDP8SF2rG;74
zvcmqocW2*}o;{fo?SS1ZhBh<i*&MBOc>h_~HHUTDT1*?)w!UJ2?wMOCIh@f<lQbyO
zCa#Ez;n+s#GjGTQ?^gws{X{_5S|H#7Hs$5fbtXaD+Zs?Z<VkK?R1DpHjVSz-H!Cq+
zpL<GsF6|)$@8WskV8eym9mEE6{+uHpl#|ifi7bd4tgot;TY{IjWg2;L7I6>JaTU{Y
zB^nrGk5`n|W%m1S@jBQ0-8t+JY%}{vr=w+d6|hNl{d}Tzt}u{F2STmZHUz!u`?)>F
zlWMyH>Z_e@{D|b;($knz-Jfr3u9<BVbovCF_(htDt?Q&WS7(MdaKDyZKp(5_Hic{X
zM*yDdH&=gZoa5v#I0N+x8v5>?{mP$7gucc`LRCHx6!09c2m*ddYX|Kit>777=`#OH
z9fnjln-8}8>T`P*O{F5A^R9xA+XhPKSOqS%oo?o?^0yDtBeSzxXJ;!zDCex!Yf~4U
zGUDwt&Tnx34DVKVjq`Wuc5C=*5)atxR@%0>u>+nDnf5ZAtp&E4unevj%Ul`;7qU<N
z)k||`BV+`0sRv0OPIRD>@3lo`X*C$1WER|18&nm(IbA<tsBvaJ?&_?kjmXuejrJ6M
z8Ti~ECGPK~@_4B+s2icGSUg^<x#n<uVy;g7C!+t^Sxve+(w~pQ-fSikOE<=3C`ML4
z`-<<XhO!t|Ph31bcD$27(VoQKrIt03X1{7IhZVslR$ZT^EzoGFRBoj~EK)j7F334N
zk{hZ$;iCD?N{XrpUk6;ue4ZKTu^zeTG#;jZTRT2`=wR@)cA&wyvBLjO<!h?fBJ4WY
zACIbddKw9<T}$d6AZ?fA>iIN$J3^S*Wvk+ukPLy>EjoPJT(<5bYJ`fHFGNGSK%9<+
zB)ELVsjI{jj=#x5W(}V9qc=u(BnoXldf(^6=;=P`r#GUBHn{c*H4LmFxBY4~svMm(
ziB=IY3E*;d5L+4(?VhvNvDC{9_+p6DX6@7`zYaKpnL?L#(gr=3-eu$*P4@NKu7S_n
z)!;&2nVG%^vQ0ntJBJ9BGs8YJm|I)*pFs;Ea3Ab5=(4|xVUy!9nJY4OL+%c2Egaif
z-ly0V;|Ooiduot7%;leWCzv(d)6!$5|Fl30-W8l?yG2#1M+nVO-^DOOJ)e?Rf;Jy%
zx85)Ie!SkjLx}>Rz1PCgwX-)S@E;+7{r7N0(`}RA6_bw2&Yp%nm&gQX$j2S16~wjD
zkHz~;X4Mr!)4i2lhJHFkvIbYVe+bw-oWQ~UrjSoB;wu+aJ*4I0hZblZxR2ZaV{Cm+
z=2ahf%Ujdrgk$0%YHI-s=+@^!>lMPJl>^;oUUmW2P^Z@Z_0(URN`nxt#2v#n5r4KG
z<0h`u8m+!K21QAiKt?%}dfnP`mM*QqM^wsYkGAL20$*KwVC%P|uNr=6Om5S@Cxq$;
zX%_(oc(`;VFZ_qrxM_`3HWzH!>3ep7sU(wt9=OCC)I-rW4v~EtqEq}au!qaZveKqN
z8e2d5&x!McSz5GphkNj|0L8tajZ&=1-9LMs<cjmo$Tc@jO~i8iHRe9I&2y)3#r)=r
zT;}QRiwz{0wp>lm>E6iukZTj3^V{g43Czs~CF+CPFHB0)g8j-j=Qrz@{5(dd{VK<A
ziAP!Otdnx38ja(+{0=-;c2!x?R-xr85%pSwre028B+2>b`A~-f$w~y!EK%GRsh7J?
za|`rID^&|Xx$SYGCBryw98F{sPxM2dQe_?M9=tu-MXTyUxLiCPwidQe7>>>0$HQbx
z=fhw7TN00HUYcC2{iacyYDS)yZgizb_Q<4KR{(k|v8ava;&i77>Y2BpB42G$$@NuT
zp#8SM1;4-Rxvu&5g2^NZVQsS*gg5ZDsqX77i%W3nya=FA+LA$g8*r`qYr`^eODUN%
z8wm;*&7l2aPaDAF0{T@#JlJ$DZnTloRTSo-&zXLDqeB}{r29tJ^Op$tvR*JMYIn0`
zs^I9-2Lz|$=nvYP23n4PMx4iq$gMPKH{n|5wsOY0Jy4l+XxYQJ#nppbG3nUI59vE!
z1-5SI%)Uds^D!9aueX3xGWlA-pM;Fp>zT-2hh!ttvq+so?R9`dT1?OI)XTfDT_3+P
zj+?^8^NX^u>+PIo)I(!1amnbtQI*w_BrkYe=wSU=$yU%qGX2(XXGnt@T#2<$PZ)h9
zEK_foyc0ns9+vocrSg)bo<VeHJ~qD+W;BXEB_>!Hn<+o_pD0NjFdrzRF~?DlrrHu%
z)ehUZuBGtVxgI$;FPW^XKDzd)`SX%Vzi%{C^}tN5Hf8Y9(bq%az-57@_?g9ewtFJS
z;<X%|c|zrCyg8{=16Q!ml;&86*LJHYeDhYhrx%2Ffcvbw0;d#4YSV<6d!;aC#ol=S
zjCR1KyAWRJernE!-0h@<l!DwF$F)YpNPFRWxf{4qgqceO>SlVwL(e}`QzUiaK@-0O
z8-O!2wM|CZpY@BApP~ttkS>8PT7`rK200vv-uDZ$!cdzvT8;!z`2?-vkJd(C=?diS
z+T1`pF5qR&;*PBEvs>NJjA9#K4UcC+5Abr<3JlGimQW6IYxK4qzWN-7r3*)v=hm6z
z(@)#G-X*1RxCa;2i1;bnJp@v+UZ^r>Pf-h;3y!|5U@%nWfa=@8I)D(w^9SDKOT6CR
z{<uaTpz9kha_bZ5^$c;#EQL|DDHeb8w4;hl*?|d1xO#n&gH!(8g$ariQ|PiU$g%LQ
zZvzRDpV*n$-ThW!UZRsBOJlC9c;}Zj&w8nbQI@pQi<W^=EdyNvz107*05rnrWv!El
zOpQTv)~rN7Zg2HeIz}R0aH$FI^;A^GymMbvF<&!NWcFU*sm(IBLpuv-8aB|_VeD9I
zWi~LI%m#f^CO|%fq0<J!gU=M3w)4687M*YWmL}`;Zf>U%*W>A(1^a$urso?@Mzda`
zl3HhK%sEynF4(O+#apiuVH<{4*y<uuF*zf$$*j9^v&_r7wPgjm?kgW;^=wb3B?_Z}
zQ8b{H@ii<!ZP0Y38Nvg8%+DxDs(W$z3NKZ5v8+S1bW*sjV`Z(MA&Xgrf}hOf)rLy@
zH+G(pH9KNlTCBp@a+%JqWF5j&V2<ovc<EDM`y{{!5byGIbAF7StTfpmu)P-<jziT#
zmLhci1x6nV;(T@Tt<;~-?A}Ou+kp^ZaPbD(wG95T)&rO3e(ILMf?qlL8Ki91ox7Ny
z*dv`Rzran)@{EuQ#6^*ByfP<L{Ne9O_5CAL@sbl9`AUXGJQ6)Cy02ji)75&r&{BJY
zoT5IuxJE2sk=F2M$vK#OWBJsrl~eP*2h1q(n2}kGO0_P;9*Q1nemcQ1iO{Y3dQq2t
zljPhft(~W5qC^5Jrq$jytyQpLPJL`dbY_DMXzW`(#5#H5DZw}K!+jfzitj~fnuKEa
zX>xhaAZ)7^#<?w?!fQMH14UXaN9E&C9jiRt-2IQ6Xm~QTx1HLNZ&>hY*@KPG#hcI?
zN(p2kPJrlqOL1W3pMB=U^T<UdMULNdvz%+95zsdO{y}7gxagJTy`WMq{~VoDS!)UI
zWWuv!%5#t?D{#{Fm=}3#6iv5b+5%@Dn`QXLta+maU4uQE5f$qtE|@P#Hy#{1HH7Ps
zr08LW4$2%Mai%c_I##`(mVnQMV8#Y#M?f!aszV^16|Yc*Vz!BTI#B+m%>BNhiNCsa
zHgPeyy?t$di2zibfMxhN0{>*^?&@sFBp-@^uclc<EmV*rjaM(_ZUEZrWN5L{AyRmP
zC~4+xb@AQdVi*kPB^#kbmdaVzE%l<A9ys_Ww=Ix91SOwm<l$rHU*oQ77GA0O7`eOi
zD~c355%rLhMx%IfQF*sP4zgThWt~dJZe>-LU@PDJP)RJ+cl*KRmee^gZE&9TxdB7g
z)c#0+cspsj3#Rsc4FoL>9L3TbJcXwV5Y$sTvtAAd!jr?-jkw&8g>*hl5zrtVXDx@5
z!^U{EGr6#Vt$*Dtx6nw4(qb%f!4#$)e3|DUr1!5;{gO2<xXa_kR-|X()XW-uQP1GL
zxj287Z+Bp`$&uy2A7A0-g#_or=f%5Iv3aGq6Vq{O6nMNi4G5vC4^y*k0c}`ENpEd<
z=4U-pm=t^1EP+X>(LW|+?v@c)fN8(OFG`E2-|X@{Onm%Dj#|=XT1Uayi|)@Rg~HKg
z|0Z=Y32~{4<&9^Q?;{kwv+(bc=4#cP;x>ke(}Fms8vea5Wp?dmJ>tqB<KnhbZ9d8Y
zTu;761rgYDXQF{E^&+dh>hC>iw!egTlJ<=Rbi>25v_&eEsDGGw&eGo)<4FX!%o3kZ
z5n5q62x!D=W+AWvnPy-VJ`*n%5*|IR-6zqRq^qrISU(Tn3S}GAH}IKJ)GNN9Sar8U
zyENw*IlSj<qIv91cTg07DDEeR%ug8Hp4Teb*PQQ&tDTB^@`n`oB~CO&l4OC}QnqhT
zrk}G)rwXD2=xYv%bn9Wwh(3Z6Tz!V%yu)h;*sery_8iC4Dw}dmda3!MSPB}}4iG13
z$PD`;s>+*f^fTgQg~Na;(cpct&~BB>Yg0~SSzF46k?`{S1^e(==$vI>sZ(|wfhV1f
zn)jZ?vyt1U+liC7UII6F2g!5mD0(>Pn_YFfyQT-X&S|L~vJUzVN0U#6@>RqM=TGwo
zc522{$^x<v^y_HU&8nb!N%Tf%l86F#yW>&|s>FRv2-^<B<>tOev*pXn>b`sPS%AYu
zO3V%V=JsJ_x5WtH9@y>C*&}&02p*aqx3;iN)<(K-%{ea+2Jn4rUioU4^px)9^AFI;
z9*2i{AckykR_1CT)-<<2!doqEiogG{B$ZEH#kn`f#wNYgv@jgj?e2d9DKu+nEvm{-
zs}fJc`*ZKLlZm`UGYNR`gFLmz(F4@8kQbS{iR{?5rMq*I&f5B5wgP_H3Bug1s#yuV
z!pte!R8+c@KBhitT+ks;tA&jA!CF87CFAzOzF@`^)M5M)^%_{yHs+YOb{z?yr9@_H
zHI9j-;mu#C?XQTCWNRwbl-TP}%*H)<$)+!L(?}?d`GM-+oiwFZ-j}clRQMF3Y(9Sq
zINz<dYPUf9yO(S8Z}_JDMo2*{d*FU*VN7{Orx3axe0%xbkKWy|c4qOwyEy(yi-F2=
zo%dD^T4*m8{)?B<W<u3~DfDfPO)!HB_N>I~{mA$Uj$fh%w87Rr+tof}d!6{RYaZ@&
zQVeGruLt5%PYZDK9bW~9&b+g6w$Dpy98wA35#0LvOlfh}WBQ`{Ue>%bZAvB(bTi^v
zV5TNbyz%4yM$C`R?ErC66TtM8>PT<AMkU-9ncVT1^#%PB7`;5rVO5K;a?qxhAMC~6
z3no0fAzk`pWHp(&xbr#Q_Th-n$_G@%!bXW-B7)5&w$2C{DCK&|zS-2!R)k$Of$m$H
z_=uN!?8&7-Wt&;kZO9;0=1tOU;xw0pw1%dpPPNCUnyxTb)%8D5k`ltIZ?U@ek_%ha
zn{(czT3X14_goeRlTxXIF1)~!8ZB<qb);_&V=``|Ph;KuZTN3F)%dnJcj+U?1(zn1
z;Z>&)HO?D}$Un~9!Y>!O7|0n*r0#VNL~^f6_~m+%<rt`JS9mnSsgMW^;IX%{>aUDx
zkM7-{wimXS%g<n8kwh-axd4Qe@JZW13rYP<i1&A)(p8eB&#<=(Z#ictgiR+}l`M}4
z`VEqtvFu4e&Q5H|DmvXUvoEX%rPz-+>l8qL=ICz6&1gp^E(rbvJH};Czd2_v)YlBc
zO?Acx!5G0eqB|JBCpRaD5^<lN7}^f@7Fp32I$KvZQQ{w<#$&gT1HiON7OjLgYPNk1
zrY;H{uPi<xj-KPTRs<aJ8z&W<t?16wD$VrmK2pSKP+XpYIGSj@gh)If{>0(^0yN;M
zn#8w&8|L5rQz)@9IFAYtt;;KY{sVlMDBmpZGaj%(&~?3VtD5u(W#QigJ=NZr57GYh
zf*MH#tg9|{uj`MeiW7`S#v0NnT#jw*%1p~zvp1(o5`Ez~z0(sLk09CCk5;JWrjn0j
zwy#ZxVos}^q$>ZYrB>Nm>sBy8J&z?(9EQ^6Dha>=fcq&L=aIPcJyEvr5SV8SX;~OB
zO=#akNbd)+;HyMI*rD%C_Ykd#+(oU1k(IX6ENhXIWgd-9;m2?sfC~@|?Dg%^U}1q*
zyr<`ljMo~Y<99Xi`qI%SfHKlr!;L9_e{~RdJm87;^}Bgt-cMay%8m75tLgn^v`L^O
zW?WGURcuN^<HyN&BIdBGr~(Nx<&pAE6*saeQlZ~8qH0&8-v^i8hYH8rR2Mgu*gz!C
z`E?6jUOkrhoVI}RkO!A>;T-ifGEm|h_s3jkNHAVKbFQzCr+**5Icer^B!+qW$F&Ox
zgB%{H=h)yJ?PhHkWGVD+zDV=z+mYaq`UC)g##nKoe#dPn2Hu2(#{>g@I<4UxcZ_)q
z#zxbBB3Ul|gXcY{ACAoXYrjqYnt+;k-%oAZLKMT0)qdIk_It<4C3GnyJ8<rUFjjbf
zwXjWT5)AY;ebQ0Gu4YPVcJ6X2Ta>Lv^z?or?FWU&9i-(TTK_lW{uU4Cn{anKLFfl^
zr2OUFt3`^mOO0aJbN7R{=CB&_oGOi$l>tR1e9>EuI~9-m_f0NpX>YN$P0s;?%Z!UA
zuRnv``W}G<%ycSD_taqC;G2z=Q-whSd*KgRbh;Ca)j5jRh+i3gwY8E(4-3d(b``Z`
zTiW&(YuZH#w=VK80P}_k*keyZ;2ZnZCrumsagx{S$D3o)+~H=ui>@znEOY><Wc2ha
z=VSfD?;xobJfh9DxgbgZ*~MchBu|gifTTCOpBgu*#i49_!Wq&8HWPPHTXQQh;1YYg
z-{M;uOlru@Qw*Cg;x#1Q%P3c}M9TI_9PiTHk6*Y#VCmjj3x~8ZJb=B_m6ZicwQ|7_
zH`+`U`><5Q!yZVD+0nj<`P3tn*vqT>;NW6iD*emY>uts2`~JrtPONCdDY1j-w{NBE
z{Y3qf+1wi8`&p;KFsI4=CNns%CK=BXvg5AtdD>u~#Z%YK*IM3V{UYT7Zql}d;idF;
z#tXCGNnH#Ei7uEq?lz2BRH>KDZ9F2XeEZdx+x%M(zxjeu=v_DlgI(S{+2+0W=j5BT
zuaq?tM-p~Yn?q|@P1t1<q`mF#EGz|JO*eTV`y{c_Q<yKz){cD_pC&nt>5B}W^FO^I
z$hZ9R^`6346~v3AVrv9#?)7amZvrSl0IYwdYTj+F!%cW~Q0FE}<04pEoK?nU^1Utn
zCFe>*)6?T1AO?4z8*bKpR&k?M#H`u*Fs9U#T&R?88pJmaXsMNod2rqj5Kc^efkTcu
znD3T2^}=a`L7ZtJCZuVmc{rn=Djw7IQew9;gf|1E>`Rhzm2kVy1?gA=-*2a#K2F4r
z^uCR(iE?`>fM41zwPhl~Auxf)a$uV_+Z4TMUn*Ac@;^<_Q!z1LdDy3WHs>|fuQGKR
zJ=1P3#)P5d#Xzn^XD+s|IE;CY+g)J1#r4~d&5W<#qoVdYGRj>DN>iCu*mkvRL42pj
zC^f$#kH`xZUfg<mOE@LS*Wzo*Mo%()LF?;cbmjt9)ejUsX@6*rtrCW}6M*qB?M#q;
z$O9g#l;7BuI}-afZonc}TX=-{xMhV<*ZdNL9VylpGZ4Z+z4QVfhy{VtA1T1fG7UJn
z0nT~sl|u4oVcGj0#YPH4w5`^8JDNoao-2U@FQPWpfUpQlE4&rcAE}?-)E2A<9L5p;
zpy^u%AZp<+AR=0%`>NjmFr@zm2%gdhWFQL*ba5IHDSr|&c-yunDW=cdTy4^9n)0Np
zQhV_*e&+5Wd<{KQy0!2DKK$BW@(R?+TtwO&+z{(@ZBk`Do!0)i@<kZM+3P2Kwom^?
z1!>>E^U3jIc&zC6>T<`d6W?te{bBk?<Y;k}C#%yuMA?XFz=SQa|9FdxQZYvCfIeNR
z`N+Y_G>lqXjC9L%<>fa>p`R$Nn83Pe5df`}j58XxD}}kz^)d1)@gd7O$Hv8k62et;
zOfcF()i*;&ljzxaj_@#QPIk)cOYa1(j~jzBp93`YdO!B_vl%k8SY>FpM^*0(bVj;6
zKgvpEt`H5Mzo0Aamg$Sszvbc23m&2qUB58te!6PRlVkiO$4&)*s7WyCXA5Gqy3RA*
zgs(7<V!8UZ`8;WRAbe=Dr1YBMb#kG6s+<2lv8KZ9#u}<qMH5#Eh&Dfr4}fj#2s6dT
z+M|VMydn*dCS_D+%@;Sc+4QQ$dr~<Dw|=vCm+F!SVZR6Q%5!$Dk_A>FLE;LMf^5U`
z4;nw>ZK`q_=<hWYC)TuOykr7=mXwidtV*)my?FTMoJpSD6fiagMXb1?zTn}E`1U}@
zTI_b~@FMP-yIe(fnvu8iU$j}JVju2CN5vi0DnH3l-29zE=Q42~e%H!6Fe#TA(c*Rp
zD>r^7@?2n3NilZ6az(-2Ia{2i<nH&b{zj9wci0_W42S0dKienp2Leur0Ic)2o=xAT
zJPv1SP}xthJwavKrcz!;)=w|D`|+1tus`noegf7jSONXp=kfuip6%z&ggp0F2XotL
z#6{IUze7bV*M!Uw52)+oiK|5fch`i{<F0f4Wpzh%cVl?$1SAZxZEQRWE&ox(0FW^2
zogq>99t*%~HF!3>OK|i<?^?wXr2hLn0bRC$f8{?P&}=m4&KwFjfdCA*aej5iey+-2
z9k|{Bdf3<zpgl{@*XI&>dA$C}1ElKTha69d0iduwr>3Bd;kw3HufgJPdkKVP^CY#t
zMEY$yPM2Z^+Vgj*=m4~yz>?k@5^vMj&TEons29wrOFy2KC(BI*t_%Ao7tNgiA4T|D
z8Ji2hJ2v7s;{kxK{1m_%ES7~VgpGUy{RNsmTg7B1k*p2@B$dV)8UPnfk#tdu<yS}K
z%?Tck8hQT@&2H)kBIat@B;K4asQ(Je+@J5}Wqw01-4W2?tnllfkTM{v%#Mu<EY3w-
zMG69MhZpo{L4b{3b6*RC1d4&w=7|zG?(R&!!~HiJuS?Y>b2N~gx7os^>P)=q)qLs|
z{3ErGMjGhY%7CcI-*Khc9>>$iuuqru2L2bm{x6#RPxM}!|66Y*arJq`44(tDx_XC)
z{w@7~uxQ8b|I1?i9}R~_hcoDWYKsBY5kEV8Y>y*zM8pIJm7Wudxc=Pg0iamJ3H$*6
zkL<Mvhji<U*Z60zV^2K#Y5=U=niepbyq71UPv2l&T_`Tiy_D%#aX)V({STS%>)ITM
z!9Aj0^-*{%J=$2p7#)S(Pe~f!-|Gvw^lb%)VyEBaDE~m!e{e4VwAyLA-3{O(XLjrj
zQ~&i_6jlA8mxce&qUX{YZ$(gxpQw33_e#QL#5EOQEtN33s8a&RKG0<27=Vlplg$q2
z4L}dOaOxyhCB*pkcbNa?{Z!NbTcphC=l9HKV&zzXNA3h-FaFmw5&ebXV{u8`+5UdQ
z^gmGhf3p&}1Qna29@<l%VZ#A58o0NEZJQ8@b8x_|2GHg!3aBEhoHtlGnvZjgw3h0;
zrHh!ida?uwrz?$aGLJDCQEXVGEt%I<0HIf|G9C>9;i`dZbRiy7V1UhL8wP2_N`HDG
zy*4Vn(TyS=Y^lJL^q}N(n3#x8X2*`8^I5yq(nN?lz|C|){v=AWziO4FtH9E^_R^>8
zhd1u!jEw*Zooj}SzV5Kpt5a(yx~kH+QJp)%dZmVb5>5@aPl!MDG4f{$Zh`G<spZq_
zSE&Tya@M0S6~#ICOMD*Wyw(x*p7R4zUXHJW&IBs0E3W(p&1UEBiMt((0?c(zVBr2@
zc$m{A{M7cB)a@IWoS~<BQa6`S^Vzr(#$iU%mV+Fmkg@@Y3*&dZ0%#~NT_%DT08ExJ
z+fM4VT@1*$S;eF}8^{M;@SiVa%Y#)PK|&9)boxP=bXYL2>XTGVu<}WL0B7ZPPQVA_
zevri%xCKt$?(P=aHm5f9+7Ad3oiFxoc2iZaTP3x=%Ht-SgnUrzgT3%f2-pCK)A?Dd
zH^wG)nf0o5IPl=;ZN|&0)0$v!dL77K`;X?+=bsTuYcb_tDeygO0mCj}23XKOzf8=>
z?(a_Ri#{}y9u5Q(?eSpAB3jmaOdH5jnx=iy1vbi^&GIz2uqMkxP`@6dV1#RLW5<@Y
zP~8&lKf+zHuAgDCT%vKlhY>d;gQF+<`}bMKhy%pQX%336hTNa|LZ=TZj0MruxN@Z6
z3s~dfRh#8SZ~^Q?Z}P=}4r+xFbQxvZs`ArdsUjFbi$>T!>ccrp6<h6G4_B_|5|s1{
z+mR{&*v!)hjX6=-BnezZ;!~tPIUl&(ENvE_`I^b8vYK5t13KF+xb%AsN@W<0V~CD1
zo$a7x>i9B=sj_;#jWt=#jar@2lUn?YaDyk79;Ej3H#B4GZ+l~rwiA|OypDww9v?1l
zR3uC9w(X%xPHAy>*@i&hB;!Ks1o)BlqFE0S+iFUPf=8f`Cael#D8c#|rXq=vs!uc-
zP<QW|XNo|?kDmOV2-xNM@~vQ1%mr}J^t?x%y#i9@e%xmIUIaLw+_odRAzW;h)DLhb
z&NijduWCa|GI+lBogCvTQL&`(^RIm|v%LdQ8nYcbszBz~Hjeb5KfFGFR`}#EbM?)&
z(cBJ4Pn1Cfi-?9W;@r^b)>+<s!sDH{YoeBBm@$nJ(T}z}MHi<cBkNCcFf_YMis-7b
z(aEM$u+gbs@Qyi<12%tB9pvhz#kth_3Ox6yS>+7p%}wRs@6WRK@z(_@OSxXS;j8=S
z%!~hWir2cZHvg&YyO8m8%SpKA++}7X`Dk1cLnsW6ybrp0W^P8$-U6i4_^y4+MzBe0
z6RL{uN<o3753bprZ0}UjL?X`s#U=tCTm9hcH6rtAnWYmAcdUc1F3+6P@VHM^Ux2f#
zSH*r#^87P)ovzb73)ZMAFVB4ey>lx0eNpUM9~qvu&#QnhLQ2R^YO00m_wJFj6&_|(
zH4R6ce{t4UlH;z=3fAuFHNX)&<*o{BMzVZzU*TJ(-Z$O1+cwQP8k?LuG$+lm@x?@|
z4Sjo&OCcC<>(6Lx2GGoME<B5EKrFA8k$~%b>@-lt2uu{PP){ELVY8Y~rUXEe)Cy4O
z-SIlT&888LpAp#KI8u>Z?WLfL7WReuHj!YmU#A3><{>VZ_z8VA2-2X*pmM+(o_Zo3
z;AlQ)CF~-3<RVqNV14_eVw7@Yo7fLXWLcHy<GHlB;NR|;ARdGZGal|XP%H*8t_~4V
z`7Y1nnE%2yAJX65$Zl8a4gm4rw+QQ|egl9^8^cz?18)MxAuebUlIDO@T=lYhzehor
zCw32?5u6=Z=h)An?vchkVdD*EwQL-?@;7ecZS5nnZ}g;Xuzpy1!qPXpCTP#}Tc7d#
z^sB)v<a<d1mZTr^rKREJVb@_9ie=wUO0SfO@6_wu#ra5Gjdmn^Ec>?C7Nbhqjw@I~
z+b}G*8-{}M%G>OnobYQvK)SbiQVL5`dT^0wg?p?7=dG!$5HSmS;I_!_l0%!=0|}qY
zSN!b$=eo4H=Hr>a=M2qvReeoVy*RPFZZA&{on|YB(_h(e7U{PbKpVD-^zZsy+2mM4
zay&H}8}^^EFKEZxZo_cfPKfz(2whbkBfV)JYiW0HTA4hoyJDgJJa%gxBN;GX-!TIi
zv-D|@V@}BVPpg5keR^x5lvw<BzzZr!diT9r64z&{WTi!;TOR2Zd-toa9{iVoa?OsL
z$%pg7YHA7LTB^q-#^<M3$Fmh`AN8bOwYV)|yB^8YQYUBylv>eqCZAvqLRf_i`9)M5
z!1!)}9)Q}J&~r9__B0M_$#BnKtEuOhqL<Lq;n8#D*sC}LAZC-&tZLJ0ub_Z)KLA(%
zEJ@8}`xaTqy8qeg_4ySyhC_frVBt_S<-9);aY?CYoND6Ru@s1`;N6f|yFXwas|FaN
z0pi*=^=q|WysjH1-H;^P@^O;Nos)~xi(%p|sIt$`tyBkALUh8;gI0LfFnT&C10a-n
zgRqo+hc4^ZK4F<QQu};8oe(%3GE1OUq8_WT`qT2HFnvIVGb7i*?GF<zDeSZ)u58qO
zvl{zbmH@TKEQ}(hm>jhpo!op)pJpB0qW*T^qNSuJf}H-@bN`&90UdXQgURXE#@ok$
z>V5pyGjE-O_Q8Im!62$0jqyV!9WsidlOh<n@<bN1u>x-2Mzr_aZBngZ9g_Y5bxY((
zZ1X+F@o|4k^kV9;=TWNbSWfYUe_xTI!O~a(au~VrVf9{MdA5YG_Nrrsto-wd8dkn-
zo!upZ7_RZdgNw0ItiGJHxmX$Vwjt?5qgik^kpK^&dagKM@ccxFLXus09(s)ahX#t*
z(rT+k*Wg`?FFbi4%d{QSd<{X73!`OUR$T9HLpY^CVf0poRB2b4Z5b7rWf87eTCYqQ
zjMx6?Gp2f1Y!GIK+gCO$@I%#Hpu3mReH$$EM0+I4!3OP*=7Dq(-<3Z-ctPgsj60vR
zP~X{(m7Y;3#yr3}UCe1G&AqU+vDd@a4J>5r)#K#Ez{<9Kf{FS~0<vY_yy9eEefS-c
zE#)A|$r0RQ1vBQ^-5|}ZZFdqKG${!@7$#?d{q%D>(yn?4SoFIaqddM+oQF5`2%gAR
z|FW=R>j`^y!2EfRxL?ygmN79Kjaf8p<(bi{$3k+vkrIZL)l{!l1m&6)IQf|2Q+29r
zGHcqrSUdW{%AyrK`r`bjJ*3-&hgPHlCSdL*S6&ePVGHx_j&BGp*I|Dq!$f<;mR@YR
z5I0-gRq*n7`qSxVBodK->NPd&$$i3)YN}6%RcIZntL>K4ao5*Q3@g9!3b7W2J#U}A
z384Z<;w4j5PPhY^EvK)K1JB1QIP(TRB#DVBydHENuVA^e@lClm@YS(xvgG8ez$EJ%
zpK~sI(YQjBq6Ov1!vSRt?;Yl^Id-;gmB_`Voj>T4!DnN+!XA}@5QodYblf)@Mwg<k
z2TF1PQtqcSP=6#VmWk3;dZ#3HM>1IB)=TVWV(3nHm*O=WX9V=C|B+bT9FX^HQeoeY
zAt8njXB|j>Tk+JrO%kQW>D6u4imW?*bjM|R#h+!g^F{7zqJT1S3J7$E_V4cklzQRm
zB#zM*P~u%i+ernfC~RLA=L-;Dy`zQ=$`Z<}uc#r;#5S*k&=knFdDXSii-jRMgIZ~k
zOlI`bn?bAQd<wq6gncxjsDT?JnjmAcsDO(0fyr;(aX$9FBG^5a#;OP?Es!{fzfu7?
zWGfkqB!4R?F|(UgbYs{ZWZQaYLpRe=KaM)|=?WK@<4&3MRpuW>frnX%d6uPN5hGbD
zZ}OIk7OImv&Nn`u9DPvh?;OP;dgS@;nc1*jE7zMJU_D-Q=X`0?O^)#k$Lv#!&QH81
z*)o3m`G`)#ew=F_`I=NW-PQGBgy~Xz!WWaPF(ch%>*}!){O%2<3+tstVJjgUcHR#w
zYJONr{hf=3hu?o;>q8f2WQqZsviG||<_^KkE8dqhJW0+P={N1(1#Yx&=T&)YD7LL_
zlzF#To%$%4o85@0LXqRO=JiZhdGCF@r7H-v(MQ>v(F*9@+NMA()ZFWjeyJ~7SMK1@
z3FuQycKVJ~Y5B}`k@w%<&NaFDIgevd9a>J6{p!-K%=*3dFYfwyy$ul=T@efJ7mq4?
z`y!wfC(cfood+c~$DN-R_ZtB7LXG}1Dp&8F;7C@BY?uiUF7TrBNUK++Viz_vWEUPy
zca1Ht87iQK>aTjXv=>zBK5V}!t$lTQR_DWy-@17jO8)hkw@72&ZerL9;2jKTR&VxM
zAHlCyE%<TxvY5v=cKJYvb5+d`5p8;)!II3g9es^P<0SS$@2#p@F>`22fkb}7I}?|4
zJjr%@qBBYM2Bew+5Cbh~J;B3i2=ZBW-gP1$21f^*54#O#)JT^9vWjtdZ}$Ujo|lhR
z5LdRljaj*<2?^1;`<|VR#J!+WPpg1^`LGP(^r~T$^TJ1na=J;l(&-@C-r8DYPh8Zd
zMPk%w(trH$nh{m1v(+<Ff|D4F?|5SrDCJy#Gb-Dm{rTOE2WP#}T=Eawsb3;8#XERT
zDIH%b^~`KV)3TGQY@!&76JopCkpZH-K)oL<a1a>N<h}I_z`zi`KN7tAZNDhFYGgJT
zP-=^IAu*vntp?G<nBv5V>~mq?I%HtrN&3l(Ta~6xb}v3qaZKK<)2M-MU~{}J0M(T;
z9+ef1;>a*};&?h1UeEUkSYJzWp4_Vr>X?Xs{q0%upaVFOh-X$9IU0Nm7<|Jjx?)j3
ze9ArvAQnChoW^?N`>b0cS8xEtFXy?=?uJbn7=U-?h9lNc{Fy|$M`>H(>9~d>UdbC!
zASu4_t!YsxOTp?}i+q#79QC&+9xH9Qi`NQee}8)6{w?Ia3bx_@Q^uLcL%Ftbd=@jK
z8fmhOCCjl?l(8qfI+i08k;X1Yyk$G0gfOWnA~i*eGZQVcgk%Y0D_b0<7`riPN@R=d
z+k4N_`#JCX{`)+i=f3ajx}N9x-1qOguCI|C5ptc8Um|nN1|E?F*;qLlU<}TfD$-Dp
zXbcanir68QWv@KKw46p>cbQ*!yV7_6dQDE4g-&)(O$y0@*|-U<+&*5jF^B-$*7gbM
zwvb~d*GE@CJ?f-d^!mu(CYwFzg&69E$ybSXPU$gK_$v<%Kb!`|X3mEQCI#OWv~6(p
z7D6{Y$a|1tT{f$_Ws>2uzcW{SzsO~W^}N~?Q~P?B(mzxiboNWpP`ttpe1+Nir7Oh)
z{VkLrmDOaJjWo<W`teZM-BcxP`(N_0fo}^4DB~q3=}u=?-96NE3QA_De=b+HPV^rE
zlCqz1+87d9^VGvp)+%+)r1-%~2iQStRe3Nv-cM>Qt$S5GO8opBUV?(v<jrgt^3@ym
zd>@`rAfx&Xkb{f6XI7E-6;h*}jE3jBq3}kS6!~L8mwN?&umx(f#O<n`&NMBB71Utu
zI8~=1zzPpTi_$U-^dm2P?5(RUzEr@N>eD9-USm{T1eL1CiY|u~?SCZe?F%}CCk!a-
z58f4<q&+9Lyp65Y&#fT`lYm2XO<?XSqpGm1>f5+Jy`E+hR<GZdsPob^ve^M&0osbX
zXLl|jh^#afoDEKnnkil*h;Qzl@e7(;B+$Pd(kOI0+eUAP?|hOXPN+&*4bqaH$#{UQ
zn#)?dk_mPIsq5f4(iLqaFSHbzyoT5Q%3xweU)s6v-sk6IgAGFFEY{3!mX#u&C8J#j
znk6hkF(GKtWtUEgYAm0M<Bp|oTWWn?;hI`BUu93fR@@mphB)c;5obxORlFD*A2FVC
zp%oM{w$+1%Nb<cS-8BCj8~3QS*xhkoT<FlPtdef`N)c85q;jjxWzb9=v*BHpQdtSP
znbS9bdwwxb5ELa-S0@IbVq&bRLne*)OY*T3j<@WC(W1KUp~5q5Qq|L=3k$cYG|ADC
zn`eB8AgePXpxihrnu-ar2wX&b{qc}EDgeWpoK6v-(ixv4KL2<)k9y}(fksDnhPyg}
zKAsH(g>*DPT?B)pR2?c+?RCX5=X{CR^x%yAGj`k3zfmriZdPjcs>tfIK?TD6#~3hB
zE4msjJ%(WCcgnJI0&R#VWb{_OMEwA8U~U*<E}-T9><=^7{c4}KFo%Bodfx&P{!)ha
zm>AUb^Mt>aT06!6ZG~HH<?f+KAZ2W0K$P#jj$Y$W3w62>;I&>tbWkuZ{3b=Q@*ZC3
ztkj-abuo#~(D<#6R&5lwe<#=p+}a@yZ4(nfkA*$GU0U|CQnXjg5;w@;v$%W2(rjAS
z+b2)d2P>o~(taUo`yjn<rCcm++c&zz(z#cm`Z+g}Zx=boRpufH8zFOHjZRfqW7LAQ
zHp2p(Tgc>Q7Measb^Vh$s=gwm_h@&F0XXV-j@;>nKgmR}G!I@PX%;sX3~sAhOqkXY
z7d8Ox7`s@~UuVC5AeVSAP^H8lZ#w4=`Ky0eSv@WyDG)W2PIzpTA+Nc#J%bMy-q!x!
z>0d6#9G--Z8hn&Ye{;OiRfU1x_2GUh{%H~+FVGJedWMkSebhB+A+jT=GyQS;-ng2g
z1`~OlW26ToDJTbj9Cta$h(Agl93HmgslP`aaI+SsRp4m(;=%S->*L=}gDsHdv6h46
zj?wqJAuLkAZswxX2bYnCW_>|;#<j5+OJn^l>8CYnbz=->#yV>Y2Y_VIaxp@#Y3D&4
zmiD9~FLlYbV_(3{#aXJU`8e5XBU|-L2vqRrEwefR2Y9A>=g%|FI#b|XIi-ESNUyw-
zV3q%#d~$WYK`A;2{{t^0es8A5U%Y3z10&nuja2BdM#tb5W%`Gqo%bMRRR8KYLFqer
zFuQ{XqmD#_+GRvp_#tt@&wr=sx~WX=EL`Ld9?v6r?0p0wDJg$9YaH)-C6_vO@3?@4
zkfP^)dxz+xBk(JkBnKtmTO>I}@!5u!$UMiRF?D`&l{QYEuIE%*pFCG!_SB<AQ{(dz
zMVBr7wQP$I7rI~`0M5{S$gEKN&XKn<yA^fG^2j&m_}R*(-Fa}7U~A88mdP^?k>k}V
zE}bNf#|R-wan$|<gI-KOSJxzH{t~Hq>Zb)d#23cS0PNN037~*&&>+m2-~bo9a?z7J
zDlwf)Q{l;~g2~yecHCj0on}sO@60lj4oy{;5!s{V@pRPxUmV<*LvGRCp~(e{aC0dv
zB9|PpD}j@0kP`%em1PDX1;}L<0<UnCT3<q8dOf%z_nw=N_yuZV)nV>(up@i*xnvV*
z9yf-!Vz4eWj~lafAJ3*>b7Z0tJBN|!|H~}ydZh7wBw#@EFLDc$%Y;FB@mvcSEB|dG
zL6bM>qYq}yMu-0~<ZSKXED#{m?e92lk`rVD9@rQ9xU>`&k!vf;OYxuF8DNgv6)qHq
zB=tXw>g9zT<IM^9ub}xi{t9O(MuW(n<3CRV0*u#IPJnsBw?QFoFWa5)U(^`+Mh;!a
z?mUmOlf;X_`7q3xsonKYOXFI_t9353ouZ^60^c8pSJH&lI_3KUFwo>$=#BpKY?~g-
zs)G_nx#cjjo+K2|A`H*jSe9f2ZMX#Jvt43aXsKTM<{4?qepQ}XZ<Oz=Omb-T3K&B9
zcMihYZ?hkur+||5sLFCYB|<l2k6SMms&n99hS*QA{%%d<*Z~1_28H2a38rG12I{Cy
z$ji!iMu8$IqJesZe*IVe^1?r+8>A$%wf*XlpuxQa2}Z@}-W(7xSi`A#zv*9)l9VtQ
ztCzu)C(t1{Kf{=_F0#tUCrvz5A^k>B|Ng8}L$+Il{D%dBx@Z09MJcrvG5EoKam?Y-
zJ7>VQ!k#i3{FYZj2c6|F66um-A<%$vSXn9DnT}LWgU&YP)^Gq*<aRg6hAv=LLD$Op
z@UL6?ZJ$d%fEIgnUW#~`3$O4&;Ni?htg}nN(6%m_Hg!j~^KjV0kxLXa6{<jRTCQPr
z>XE6jB~0vTdVIy**!aL%`+XefRdei1WSz*ZD|l<vhKq6&U1aoABPznBCW2h&V9Iu~
zE5*x_nIDhVxj0Ne-dN({lt{aIfnrZL1pmxAzxnYg_FSJ7Ja(yh3)|w2MfDOxtJ3C;
zH)TBE=>3MlRb?;cNPHpsOau5%Z?_{DQLbrUx*%YGWP3Dt%Ilbyzib-I+q~Jlz_N^j
zV7tetrRU8&`@$)2qKD<#G3@oT6~WIFg+;XsC0f<$=7_o7#Ph1AS2r)`c|}A5VYbRp
zKy1<QR(9VD_Mc0*0?>M{F}9+oQSVH}10N(<YlVf?yLX@pwiZHasXL^Y^{$W)=8@Kx
zcQajwajeV^_CqT`hXC*f>G2m@3kFgq*psOJEz4I<$08t8X62YbYs8M{A1Q|MpzQ~g
z0LzyYCo8~wJJ|f6*H+4rY<ARaP5NGniP8OcCo2;8PR!>*dfc{k<x#30YLy4a=Nd+L
zM;zCwg>4w$(UvlSTB)$JLt8z3AwNI9clEhWi-bX3rGB6^f>kIraBwTr_3hOY!C6Ii
z!H9G|JcK!(1V4B+Irx-Vtm%LR$4b4UP_Y||ev{(~F>MD9OvtshP<L(lqbUpW7oTlc
zE0ROGyI~Jun4^t?OU!SKC+<h!od)eO*S-9pI)Mlp7O5x&KE8y*ZQ>BkPmNj%UVnW*
z@Wf?^coKSV&tin>XM;1cLi3O=xUFQMa6CFm6(VaKi}y(R9e9gyM+?$&OA!Y6cU#Jf
p1aNCxn8zUcZj*oZrNP%^4i=E;BCr-`Kp2ErnjJNLdD!#vzXA74ru6^-

literal 0
HcmV?d00001

diff --git a/roles/nginx/files/error-pages/style.css b/roles/nginx/files/error-pages/style.css
new file mode 100644
index 0000000..8652fc6
--- /dev/null
+++ b/roles/nginx/files/error-pages/style.css
@@ -0,0 +1,4 @@
+img.singleton {
+  display: block;
+  margin: 10px auto;
+}
diff --git a/roles/nginx/files/etc/nginx/include/headers_hsts.conf b/roles/nginx/files/etc/nginx/include/headers_hsts.conf
deleted file mode 100644
index 01adcb4..0000000
--- a/roles/nginx/files/etc/nginx/include/headers_hsts.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# Header bitte nur auf "location" Ebene inkludieren:
-# https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
-
-add_header Strict-Transport-Security max-age=31536000;
diff --git a/roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf b/roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf
deleted file mode 100644
index abb27a7..0000000
--- a/roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-location ^~ /.well-known/acme-challenge {
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_pass http://srv02.hamburg.freifunk.net$request_uri;
-}
diff --git a/roles/nginx/files/etc/nginx/include/no_logging.conf b/roles/nginx/files/etc/nginx/include/no_logging.conf
deleted file mode 100644
index ed0e771..0000000
--- a/roles/nginx/files/etc/nginx/include/no_logging.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# Deaktiviert Logging
-
-access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen.
-
-# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-# So stellen wir sicher, dass keine IPs geloggt werden.
-error_log /dev/null crit;
diff --git a/roles/nginx/files/etc/nginx/include/no_symlinks.conf b/roles/nginx/files/etc/nginx/include/no_symlinks.conf
deleted file mode 100644
index 12a2b2a..0000000
--- a/roles/nginx/files/etc/nginx/include/no_symlinks.conf
+++ /dev/null
@@ -1 +0,0 @@
-disable_symlinks on from=$document_root;
diff --git a/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf b/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf
deleted file mode 100644
index 16b1e9a..0000000
--- a/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# Generischer Rewrite von HTTP nach HTTPS
-location / {
-    return 302 https://$server_name$request_uri;
-}
diff --git a/roles/nginx/files/etc/nginx/include/listing.conf b/roles/nginx/files/snippets/autoindex.conf
similarity index 100%
rename from roles/nginx/files/etc/nginx/include/listing.conf
rename to roles/nginx/files/snippets/autoindex.conf
diff --git a/roles/nginx/files/snippets/error-pages.conf b/roles/nginx/files/snippets/error-pages.conf
new file mode 100644
index 0000000..aecc17c
--- /dev/null
+++ b/roles/nginx/files/snippets/error-pages.conf
@@ -0,0 +1,5 @@
+error_page 502 /_error-pages/502.html;
+
+location ^~ /_error-pages {
+    root /var/www;
+}
diff --git a/roles/nginx/files/snippets/header-hsts.conf b/roles/nginx/files/snippets/header-hsts.conf
new file mode 100644
index 0000000..a5e357f
--- /dev/null
+++ b/roles/nginx/files/snippets/header-hsts.conf
@@ -0,0 +1 @@
+add_header Strict-Transport-Security 'max-age=31536000';
diff --git a/roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf b/roles/nginx/files/snippets/location-acme-srv01.conf
similarity index 90%
rename from roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf
rename to roles/nginx/files/snippets/location-acme-srv01.conf
index 60dc5cf..fed6e58 100644
--- a/roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf
+++ b/roles/nginx/files/snippets/location-acme-srv01.conf
@@ -2,4 +2,5 @@ location ^~ /.well-known/acme-challenge {
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_pass http://srv01.hamburg.freifunk.net$request_uri;
+    access_log off;
 }
diff --git a/roles/nginx/files/snippets/location-acme.conf b/roles/nginx/files/snippets/location-acme.conf
new file mode 100644
index 0000000..fca5835
--- /dev/null
+++ b/roles/nginx/files/snippets/location-acme.conf
@@ -0,0 +1,5 @@
+location ^~ /.well-known/acme-challenge {
+    root /var/www/_acme-challenge;
+    try_files $uri $uri/ =404;
+    access_log off;
+}
diff --git a/roles/nginx/files/etc/nginx/include/no_dotfiles.conf b/roles/nginx/files/snippets/no-unsafe-files.conf
similarity index 71%
rename from roles/nginx/files/etc/nginx/include/no_dotfiles.conf
rename to roles/nginx/files/snippets/no-unsafe-files.conf
index 4c26b8c..6f00246 100644
--- a/roles/nginx/files/etc/nginx/include/no_dotfiles.conf
+++ b/roles/nginx/files/snippets/no-unsafe-files.conf
@@ -1,7 +1,8 @@
+disable_symlinks on from=$document_root;
+
 # Do not serve dotfiles.
 location ~ /\. {
     deny all;
     access_log off;
     log_not_found off;
 }
-
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
index 9b55c2a..d4e42ca 100644
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -1,9 +1,4 @@
 ---
-- name: restart nginx
-  service:
-    name: nginx
-    state: restarted
-
 - name: reload nginx
   service:
     name: nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index baf15ab..ef4a286 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -1,39 +1,36 @@
 ---
 - name: install nginx
   apt:
-    name: nginx
-    state: present
-  tags: nginx
+    name: "{{ nginx_package }}"
+    cache_valid_time: 86400
 
-- name: disable default site
+- name: create directories
   file:
-    path: /etc/nginx/sites-enabled/default
-    state: absent
-  notify: restart nginx
-  tags: nginx
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - /var/www/_acme-challenge
+    - /var/www/_error-pages
 
-- name: copy includes
+- name: copy error-pages
   copy:
-    src: etc/nginx/include
-    dest: /etc/nginx
-    mode: 0644
-    owner: root
-    group: root
-  notify: restart nginx
-  tags: nginx
+    src: error-pages/
+    dest: /var/www/_error-pages/
 
-- name: template letsencrypt.conf
-  template:
-    src: letsencrypt.conf.j2
-    dest: /etc/nginx/include/letsencrypt.conf
+- name: copy snippets
+  copy:
+    src: snippets/
+    dest: /etc/nginx/snippets/
 
 - name: template nginx.conf
   template:
-    src: templates/nginx.conf.j2
+    src: nginx.conf.j2
     dest: /etc/nginx/nginx.conf
-    mode: 0644
-    owner: root
-    group: root
     backup: yes
-  notify: restart nginx
-  tags: nginx
+  notify: reload nginx
+
+- name: remove default site
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: reload nginx
diff --git a/roles/nginx/templates/letsencrypt.conf.j2 b/roles/nginx/templates/letsencrypt.conf.j2
deleted file mode 100644
index 29732db..0000000
--- a/roles/nginx/templates/letsencrypt.conf.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-location ^~ /.well-known/acme-challenge {
-  root {{ letsencrypt_webroot }};
-  try_files $uri $uri/ =404;
-}
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
index 4293b90..d278f8e 100644
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -1,91 +1,75 @@
 user www-data;
-worker_processes auto;
+worker_processes {{ nginx_worker_processes }};
 pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
 
 events {
-        worker_connections 768;
-        # multi_accept on;
+    worker_connections {{ nginx_worker_connections }};
+    # multi_accept on;
 }
 
 http {
 
-        ##
-        # Basic Settings
-        ##
+    ##
+    # Basic Settings
+    ##
 
-        sendfile on;
-        tcp_nopush on;
-        tcp_nodelay on;
-        keepalive_timeout 65;
-        types_hash_max_size 2048;
-        server_tokens off;
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+{% if nginx_resolver is defined %}
+    resolver {{ nginx_resolver }};
+{% endif %}
 
-        # server_names_hash_bucket_size 64;
-        # server_name_in_redirect off;
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
 
-        include /etc/nginx/mime.types;
-        default_type application/octet-stream;
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
 
-        ##
-        # SSL Settings
-        ##
+    ##
+    # SSL Settings
+    ##
 
-        ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:+SHA1;
-        ssl_prefer_server_ciphers on;
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_session_cache shared:SSL:10m;
-        ssl_session_timeout 10m;
-        ssl_stapling on;
-        ssl_stapling_verify on;
+    ssl_protocols TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1;
+    ssl_session_cache shared:SSL:1M;
+    ssl_session_timeout 10m;
+{% if nginx_resolver is defined %}
+    ssl_stapling on;
+    ssl_stapling_verify on;
+{% endif %}
 
-        resolver {{ nginx_resolver }};
+    ##
+    # Logging Settings
+    ##
 
-        ##
-        # Logging Settings
-        ##
+    log_format privacy '$server_name:$server_port 127.0.0.1 - - [$time_local] "$request" $status $body_bytes_sent';
+    access_log {{ nginx_access_log }};
+    error_log {{ nginx_error_log }};
 
-        include /etc/nginx/include/no_logging.conf;
+    ##
+    # Gzip Settings
+    ##
 
-        ##
-        # Gzip Settings
-        ##
+    gzip on;
+    gzip_disable "msie6";
 
-        gzip on;
-        gzip_disable "msie6";
+    # gzip_vary on;
+    # gzip_proxied any;
+    # gzip_comp_level 6;
+    # gzip_buffers 16 8k;
+    # gzip_http_version 1.1;
+    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
-        # gzip_vary on;
-        # gzip_proxied any;
-        # gzip_comp_level 6;
-        # gzip_buffers 16 8k;
-        # gzip_http_version 1.1;
-        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    ##
+    # Virtual Host Configs
+    ##
 
-        ##
-        # Virtual Host Configs
-        ##
-
-        include /etc/nginx/conf.d/*.conf;
-        include /etc/nginx/sites-enabled/*;
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
 }
-
-
-#mail {
-#       # See sample authentication script at:
-#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-#
-#       # auth_http localhost/auth.php;
-#       # pop3_capabilities "TOP" "USER";
-#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
-#
-#       server {
-#               listen     localhost:110;
-#               protocol   pop3;
-#               proxy      on;
-#       }
-#
-#       server {
-#               listen     localhost:143;
-#               protocol   imap;
-#               proxy      on;
-#       }
-#}