diff --git a/roles/nginx/cfg.schema.json b/roles/nginx/cfg.schema.json
new file mode 100644
index 0000000..d557b5f
--- /dev/null
+++ b/roles/nginx/cfg.schema.json
@@ -0,0 +1,20 @@
+{
+	"nullable": false,
+	"type": "object",
+	"properties": {
+		"auto_reload_interval": {
+			"nullable": true,
+			"type": "integer",
+			"description": "in hours",
+			"default": null
+		},
+		"improved_security": {
+			"nullable": false,
+			"type": "boolean",
+			"default": false
+		}
+	},
+	"additionalProperties": false,
+	"required": [
+	]
+}
diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json
index 4edfc40..c85ab4c 100644
--- a/roles/nginx/defaults/main.json
+++ b/roles/nginx/defaults/main.json
@@ -1,4 +1,6 @@
 {
-	"var_nginx_auto_reload_interval": null,
-	"var_nginx_improved_security": false
+	"cfg_nginx_defaults": {
+		"auto_reload_interval": null,
+		"improved_security": false
+	}
 }
diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json
index 46f353c..d8b8ce0 100644
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@@ -12,8 +12,8 @@
 	},
 	{
 		"name": "generate dhparams file",
+		"when": "cfg_nginx.improved_security",
 		"become": true,
-		"when": "var_nginx_improved_security",
 		"ansible.builtin.command": {
 			"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
 		},
@@ -23,7 +23,7 @@
 	},
 	{
 		"name": "place hardening config",
-		"when": "var_nginx_improved_security",
+		"when": "cfg_nginx.improved_security",
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "ssl-hardening.conf",
@@ -61,13 +61,13 @@
 	},
 	{
 		"name": "auto reload",
-		"when": "var_nginx_auto_reload_interval == None",
+		"when": "cfg_nginx.auto_reload_interval == None",
 		"become": true,
 		"ansible.builtin.cron": {
 			"name": "nginx_auto_reload",
 			"disabled": true,
 			"minute": "0",
-			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
+			"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
 			"day": "*",
 			"month": "*",
 			"weekday": "*",
@@ -76,13 +76,13 @@
 	},
 	{
 		"name": "auto reload",
-		"when": "var_nginx_auto_reload_interval != None",
+		"when": "cfg_nginx.auto_reload_interval != None",
 		"become": true,
 		"ansible.builtin.cron": {
 			"name": "nginx_auto_reload",
 			"disabled": false,
 			"minute": "0",
-			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
+			"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
 			"day": "*",
 			"month": "*",
 			"weekday": "*",
diff --git a/roles/nginx/vardef.json b/roles/nginx/vardef.json
deleted file mode 100644
index c03ddc6..0000000
--- a/roles/nginx/vardef.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-	"auto_reload_interval": {
-		"description": "in hours",
-		"nullable": true,
-		"type": "integer",
-		"mandatory": false
-	}
-}