Make dhparam_bits changes detectable

By embedding the bits in the file name we can make it so NGINX gets automatically restarted if dhparam_bits changes.

Make dhparam_bits changes detectable
7d7037fc · ale · a65ca9e8 · 7d7037fc · 7d7037fc · 7d7037fc
Commit 7d7037fc authored 1 month ago by ale
--- a/playbooks/init-credentials.yml
+++ b/playbooks/init-credentials.yml
@@ -62,4 +62,4 @@
      loop: "{{ x509_ca_list | default(default_x509_ca_list) }}"

    - name: Generate global DH params
-      local_action: command openssl dhparam -out "{{ credentials_dir }}/x509/dhparam" "{{ dhparam_bits | default('2048') }}" creates="{{ credentials_dir }}/x509/dhparam"
+      local_action: command openssl dhparam -out "{{ credentials_dir }}/x509/dhparam-{{ dhparam_bits | default('2048') }}" "{{ dhparam_bits | default('2048') }}" creates="{{ credentials_dir }}/x509/dhparam-{{ dhparam_bits | default('2048') }}"
--- a/roles/float-infra-nginx/defaults/main.yml
+++ b/roles/float-infra-nginx/defaults/main.yml
 ---
+# If you change this default, you also need to change playbooks/init-credentials.yml.
 dhparam_bits: 2048

 # Ports that NGINX should bind to. Only change if you are setting

--- a/roles/float-infra-nginx/tasks/nginx.yml
+++ b/roles/float-infra-nginx/tasks/nginx.yml
@@ -79,8 +79,8 @@

 - name: Install DH parameters
  copy:
-    src: "{{ credentials_dir }}/x509/dhparam"
-    dest: /etc/nginx/dhparam
+    src: "{{ credentials_dir }}/x509/dhparam-{{ dhparam_bits }}"
+    dest: /etc/nginx/dhparam-{{ dhparam_bits }}

 - name: Install NGINX config (dirs)
  file:

--- a/roles/float-infra-nginx/templates/config/conf.d/ssl.conf
+++ b/roles/float-infra-nginx/templates/config/conf.d/ssl.conf
@@ -3,7 +3,7 @@ ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 5m;
-ssl_dhparam /etc/nginx/dhparam;
+ssl_dhparam /etc/nginx/dhparam-{{ dhparam_bits }};
 ssl_ecdh_curve secp384r1;

 # Allow longer keepalive timeouts for SSL connections.