nginx: Add plumbing for enabling HTTP/3 conditionally

We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606

roles/archive_web/templates/nginx.d.conf.j2

@@ -16,9 +16,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ archive_domain }};
 
     access_log   /var/log/nginx/{{ archive_domain }}/access.log reduced;

roles/archmanweb/templates/nginx.d.conf.j2

@@ -23,9 +23,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ archmanweb_domain }};
 
     access_log   /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;

roles/archweb/templates/ipxe.archlinux.org.j2

@@ -16,9 +16,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ domain['domain_name'] }};
 
     access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;

roles/archweb/templates/maintenance-nginx.d.conf.j2

@@ -21,9 +21,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ domain }};
 
     access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -60,9 +58,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ domain }};
 
     access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -98,9 +94,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ service_domain }};
 
     access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;

roles/archweb/templates/nginx.d.conf.j2

@@ -54,9 +54,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ domain['domain'] }};
 
     access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
@@ -102,9 +100,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ archweb_domain }};
 
     access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;

roles/archwiki/templates/nginx.d.conf.j2

@@ -59,9 +59,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ archwiki_domain }};
 
     access_log   /var/log/nginx/{{ archwiki_domain }}/access.log reduced;

roles/aurweb/templates/nginx.d.conf.j2

@@ -35,9 +35,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ aurweb_domain }};
 
     access_log   /var/log/nginx/{{ aurweb_domain }}/access.log main;

roles/dbscripts/templates/nginx.d.conf.j2

@@ -3,9 +3,7 @@ proxy_cache_path  /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inacti
 server {
     listen       80;
     listen       [::]:80;
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ repos_domain }} {{repos_rsync_domain}};
     root         /srv/ftp;
 

roles/debuginfod/templates/nginx.d.conf.j2

@@ -16,9 +16,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ debuginfod_domain }};
 
     access_log   /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;

roles/fluxbb/templates/nginx.conf.j2

@@ -23,9 +23,7 @@ limit_req_zone $binary_remote_addr zone=bbslimit:10m rate=10r/s;
 limit_req_status 429;
 
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    http2  on;
+    include snippets/listen-443.conf;
     server_name {{ fluxbb_domain }};
     root {{ fluxbb_dir }};
     index index.php;

roles/grafana/templates/nginx.d.conf.j2

@@ -25,9 +25,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ grafana_domain }};
 
     access_log   /var/log/nginx/{{ grafana_domain }}/access.log main;

roles/hedgedoc/templates/nginx.d.conf.j2

@@ -24,9 +24,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ hedgedoc_domain }};
 
     access_log   /var/log/nginx/{{ hedgedoc_domain }}/access.log main;

roles/keycloak/templates/nginx.d.conf.j2

@@ -16,9 +16,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ keycloak_domain }};
 
     access_log   /var/log/nginx/{{ keycloak_domain }}/access.log reduced;

roles/mailman/templates/nginx.d.conf.j2

@@ -35,9 +35,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ lists_domain }};
 
     access_log   /var/log/nginx/{{ lists_domain }}/access.log main;

roles/maintenance/templates/nginx-maintenance.conf.j2

@@ -17,9 +17,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ domain }};
 
     access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -56,9 +54,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ domain }};
 
     access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -94,9 +90,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ service_domain }};
 
     access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;

roles/matrix/templates/nginx.d.conf.j2

@@ -22,9 +22,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ matrix_domain }};
 
     access_log   /var/log/nginx/{{ matrix_domain }}/access.log reduced;

roles/mirrorsync/templates/nginx.d.conf.j2

 server {
     listen       80;
     listen       [::]:80;
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  {{ item.value.mirror_domain }};
     root         {{ item.value.target }};
 

roles/mta_sts/templates/nginx.d.conf.j2

@@ -18,9 +18,7 @@ server {
 }
 
 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
     server_name  mta-sts.{{ config.domains | join(' mta-sts.') }};
 
     access_log   /var/log/nginx/{{ domain }}/access.log reduced;

roles/nginx/defaults/main.yml

 letsencrypt_validation_dir: "/var/lib/letsencrypt"
 nginx_firewall_zone:
 nginx_extra_modules: []
+nginx_enable_http3: false

roles/nginx/tasks/main.yml

@@ -19,11 +19,12 @@
     - snippets
 
 - name: Copy snippets
-  template: src={{ item }} dest=/etc/nginx/snippets owner=root group=root mode=0644
+  template: src={{ item }} dest=/etc/nginx/snippets/{{ item | regex_replace('\\.j2$', '') }} owner=root group=root mode=0644
   with_items:
     - letsencrypt.conf
     - sslsettings.conf
     - headers.conf
+    - listen-443.conf.j2
   notify:
     - Reload nginx
 
@@ -66,6 +67,7 @@
   with_items:
     - http
     - https
+    - "{{ 'http3' if nginx_enable_http3 else omit }}"
   when: configure_firewall
   tags:
     - firewall