From ac395e2a4701855194909cb50b6f53a18bc9c205 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Sun, 9 Dec 2018 23:12:03 +0100
Subject: [PATCH] add ssl_dhparam if enabled

---
 defaults/main.yml                      | 2 ++
 tasks/tls.yml                          | 6 ++++++
 templates/etc/nginx/conf.d/tls.conf.j2 | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 6e071e6..0950ca4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -59,6 +59,8 @@ nginx_tls_cert_source: mycert.pem
 nginx_tls_key_source: mykey.pem
 nginx_tls_cert_file: mycert.pem
 nginx_tls_key_file: mykey.pem
+# nginx_tls_dhparam_file: # defaults to not set
+# nginx_tls_dhparam_size: # defaults to 2048
 
 nginx_tls_ciphers:
   - ECDHE-ECDSA-CHACHA20-POLY1305
diff --git a/tasks/tls.yml b/tasks/tls.yml
index 7aa4be3..6b8ec18 100644
--- a/tasks/tls.yml
+++ b/tasks/tls.yml
@@ -26,6 +26,12 @@
       notify: __nginx_reload
       when: nginx_tls_source_use_files
 
+    - name: Create Diffie-Hellman Parameter
+      openssl_dhparam:
+        path: "{{ nginx_tls_dhparam_file }}"
+        size: "{{ nginx_tls_dhparam_size | default('2048') }}"
+      when: nginx_tls_dhparam_file is defined
+
     - name: Update tls.conf
       template:
         src: etc/nginx/conf.d/tls.conf.j2
diff --git a/templates/etc/nginx/conf.d/tls.conf.j2 b/templates/etc/nginx/conf.d/tls.conf.j2
index 9134ce7..54281a2 100644
--- a/templates/etc/nginx/conf.d/tls.conf.j2
+++ b/templates/etc/nginx/conf.d/tls.conf.j2
@@ -1,6 +1,10 @@
+#jinja2: lstrip_blocks: True
 # {{ ansible_managed }}
 ssl_ciphers '{{ nginx_tls_ciphers | join(":") }}';
 ssl_prefer_server_ciphers on;
+{% if nginx_tls_dhparam_file is definde %}
+ssl_dhparam {{ nginx_tls_dhparam_file }};
+{% endif %}
 
 ssl_protocols TLSv1.2;
 ssl_session_cache shared:SSL:10m;