diff --git a/roles/webserver-core/nginx/files/includes/tls-modern-only b/roles/webserver-core/nginx/files/includes/tls-modern-only
new file mode 100644
--- /dev/null
+++ b/roles/webserver-core/nginx/files/includes/tls-modern-only
@@ -0,0 +1,63 @@
+#   -------------------------------------------------------------
+#   nginx :: configuration :: TLS
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   Description:    Modern services with only TLS 1.3 support
+#   Strategy:       nginx 1.17.7, modern config, OpenSSL 1.1.1k
+#   See also:       https://ssl-config.mozilla.org/
+#   License:        Trivial work, not eligible for copyright.
+#   Source file:    roles/webserver-core/nginx/files/includes/tls-modern-only
+#   -------------------------------------------------------------
+#
+#   <auto-generated>
+#       This file is managed by our rOPS SaltStack repository.
+#
+#       Changes to this file may cause incorrect behavior
+#       and will be lost if the state is redeployed.
+#   </auto-generated>
+
+listen 443 ssl http2;
+listen [::]:443 ssl http2;
+
+keepalive_timeout   70;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+#   -------------------------------------------------------------
+#   HSTS - HTTP Strict Transport Security
+#
+#   As we provide a Let's Encrypt certificate for all our services,
+#   browser should be instructed to connect directly to HTTPS.
+#
+#   This is low risk, as the browser only honour this request
+#   as soon as it successfully connected to HTTPS without any
+#   certificate issue.
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+#   -------------------------------------------------------------
+#   OCSP - Online Certificate Status Protocol
+#
+#   To improve TLS handshake speed, and to help protecting the
+#   privacy of the users connecting here, as there isn't any need
+#   for them to connect to the CRL anymore, OSCP is enabled.
+#
+#   The parameter `ssl_trusted_certificate` points to a bundle
+#   of CA certificates, currently containing Let's Encrypt
+#   intermediate and root certificates. If *any* certificate
+#   is issued by another CA, their certificates must be added
+#   to the bundle too.
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_trusted_certificate /usr/local/share/certs/ocsp-ca-certs.pem;
+
+resolver 127.0.0.1;