commit 9398dd19727f5f7103e96f47bba5c705df7fdae4 parent ef71a895bb2bf4b2aef0d8c242610d18ff3fedd9 Author: Florian Dold <florian@dold.me> Date: Mon, 24 Feb 2025 16:49:37 +0100 Allow pregenerated dhparam Diffstat:
| M | inventories/host_vars/fdold-acai/test-public.yml | | | 3 | +++ |
| A | roles/common_packages/files/dhparam_pregenerated.pem | | | 13 | +++++++++++++ |
| M | roles/common_packages/tasks/main.yml | | | 12 | +++++++++++- |
3 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/inventories/host_vars/fdold-acai/test-public.yml b/inventories/host_vars/fdold-acai/test-public.yml @@ -1,4 +1,7 @@ --- +# Pregenerated dhparam.pem is less secure +# but significantly faster. +USE_PREGENERATED_DHPARAM: true # Public variables for a "test" deployment # Deploy challenger? DEPLOY_CHALLENGER: false diff --git a/roles/common_packages/files/dhparam_pregenerated.pem b/roles/common_packages/files/dhparam_pregenerated.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICDAKCAgEAoZv/NquBrpjvD7/qqp4wJwnf3Vt4HEPgG00m4o1Jguoejwtnp1Xv +jRy6d5lxxMaVySiVnJR7QE5Si11A7aIeJQF5sXFlUAPjP9BAOLqjT6b5UCXcvgn3 +3PJEa30q/G8n74SKCwcrDBEwp5DsTWkIoZu87ieBNvQCHBo5b6FUs5wrvMu5581T +56QjPmpU8681rwrgh5BT6sPYafWLjVvj8CRZJRmhBjXJS1rkhLxpGuhUY5kRORCy +NNy9YbXPTeLLTbHfyn7IQ0o0hcLgWv2RNJf+RIWYyGqJbn64asdWXSQDL8mwCXM1 +QPo9IEdTlB4iVk7Cdku/ZJQXv9GpT2rKJQKIFERx0k8UkZLiwpKsBseYBYVkm632 ++ljy1jbihBcq8jU55uIXw8bmawooL0hpcaFIKwsysjUXV34VMihtPYerjHmaNZ+5 +RrE0E/JLUiSO+6PxC+Hc7B4RWKiDqz7C3WTNflpEZeUKN5t41+Skm6nPnZ+HZY6Q +sZLweKj2Cxb+BRFZAGRN3yaHcxlTS+CwEuQAOozW07mDs8KeP2bAwUzbdnVal13Y +uEt8iocNC1lZ6PL0Enc691801yUGyuTuM994zstjyYS/EHanIEtXTguxsrEjBo5J +dGCmHtYAFSlyWa8OAUkQT16x7dNkxyTtDMVmPnoCq2MK7t7c0OKrU6cCAQICAgFF +-----END DH PARAMETERS----- diff --git a/roles/common_packages/tasks/main.yml b/roles/common_packages/tasks/main.yml @@ -78,8 +78,18 @@ state: latest when: ansible_os_family == 'Debian' -- name: create dhparam.pem +- name: Generate dhparam.pem command: openssl dhparam -out dhparam.pem 4096 args: chdir: /etc/ssl/private/ creates: /etc/ssl/private/dhparam.pem + when: (USE_PREGENERATED_DHPARAM | default(False)) == False + +- name: Deploy pregenerated dhparam.pem + copy: + src: dhparam_pregenerated.pem + dest: /etc/ssl/private/dhparam.pem + owner: root + group: root + mode: 0644 + when: (USE_PREGENERATED_DHPARAM | default(False)) == True