community: Enable ssl stapling and set a ssl_dhparam

cookbooks/community/templates/default/web_only.yml.erb

@@ -1,6 +1,5 @@
 templates:
   - "templates/web.template.yml"
-  - "templates/web.ipv6.template.yml"
   - "templates/web.ssl.template.yml"
 
 ## which TCP/IP ports should this container expose?
@@ -85,6 +84,9 @@ volumes:
   - volume:
       host: /etc/ssl/private/community.openstreetmap.org.key
       guest: /shared/ssl/ssl.key
+  - volume:
+      host: /etc/ssl/certs/dhparam.pem
+      guest: /shared/ssl/dhparam.pem
   - volume:
       host: /srv/community.openstreetmap.org/files/update-feeds.atom
       guest: /shared/feeds/update-feeds.atom
@@ -101,6 +103,7 @@ hooks:
           - sudo -H -E -u discourse git clone --depth 1 https://github.com/discourse/discourse-canned-replies.git
           - sudo -H -E -u discourse git clone --depth 1 https://github.com/discourse/discourse-reactions.git
           - sudo -H -E -u discourse git clone --depth 1 https://github.com/discourse/discourse-prometheus.git
+          # FIXME revert to upstream once PR has been merged: https://github.com/discourse/discourse-translator/pull/103
           - sudo -H -E -u discourse git clone --depth 1 --branch serbian-digraphic-fix https://github.com/Firefishy/discourse-translator.git
           - sudo -H -E -u discourse git clone --depth 1 https://github.com/discourse/discourse-saved-searches.git
     - exec:
@@ -121,4 +124,8 @@ hooks:
         filename: "/etc/nginx/conf.d/discourse.conf"
         from: /add_header.+/
         to: |
-          add_header Strict-Transport-Security 'max-age=63072000';
+          add_header Strict-Transport-Security 'max-age=31536000; preload';
+          ssl_stapling on;
+          resolver <%= node[:networking][:nameservers].join(" ") %>;
+          resolver_timeout 5s;
+          ssl_dhparam /shared/ssl/dhparam.pem;