create dhparam

defaults/main.yml

@@ -5,3 +5,6 @@ nginx_open_ports:
 ssl_priv_key: ""
 ssl_intermediate_cert: ""
 ssl_chained_cert: ""
+
+dhparam_size: '4069'
+dhparam_file: '/etc/pki/tls/certs/dhparam-{{dhparam_size}}.pem'

tasks/config.yml

@@ -111,6 +111,17 @@
   notify:
     - nginx_reload
 
+- name: register dhparam file
+  stat:
+    path: "{{ dhparam_file }}"
+  register: dh_file
+
+- name: Generate Diffie-Hellman parameter file
+  shell: "/usr/bin/openssl dhparam -out '{{ dhparam_file }}' {{ dhparam_size }}"
+  async: 3600
+  poll: 60
+  when: dh_file.stat.isfile is not defined
+
 - name: Open ports in iptables
   iptables_raw:
     name: allow_nginx_ports

templates/etc/nginx/conf.d/tls.conf.j2

@@ -13,4 +13,4 @@ ssl_stapling_verify on;
 ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt;
 
 ssl_prefer_server_ciphers on;
-ssl_dhparam /etc/nginx/cert/dhparam.pem;
+ssl_dhparam {{ dhparam_file }};