sync roles with changes from OWS

roles/webserver/templates/conf.d/cloud.conf.j2

@@ -22,7 +22,10 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
-    http2 on;
+    # Enable QUIC and HTTP/3.
+    listen 443 quic;
+    listen [::]:443 quic;
+
     server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
     include global/cert.conf;
 
@@ -35,7 +38,7 @@ server {
     # will add the domain to a hardcoded list that is shipped
     # in all major browsers and getting removed from this list
     # could take several months.
-    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header Strict-Transport-Security "max-age=15768000; preload" always;
 
     # set max upload size and increase upload timeout:
     client_max_body_size {{ nextcloud_max_upload_size }};
@@ -68,6 +71,10 @@ server {
     add_header X-Robots-Tag                      "noindex, nofollow" always;
     add_header X-XSS-Protection                  "1; mode=block"     always;
 
+    # Add Alt-Svc header to negotiate HTTP/3.
+    add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
+    add_header x-quic 'h3' always;
+
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
 

roles/webserver/templates/conf.d/twirling.conf.j2

@@ -9,9 +9,17 @@ server {
 }
 
 server {
-    # Enable HTTP/2
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
+    # Enable QUIC and HTTP/3.
+    listen 443 quic reuseport default_server;
+    listen [::]:443 quic reuseport default_server;
+    http3 on;
+    http3_hq on;
+    quic_retry on;
+    quic_gso on;
+
     server_name {{ webserver_domain }} www.{{ webserver_domain }};
     include global/cert.conf;
     include global/header.conf;