From 7d7037fc7ddebf95db2e81130d50d9f950e1258a Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Mon, 24 Feb 2025 14:42:15 +0000
Subject: [PATCH] Make dhparam_bits changes detectable

By embedding the bits in the file name we can make it so NGINX
gets automatically restarted if dhparam_bits changes.
---
 playbooks/init-credentials.yml                           | 2 +-
 roles/float-infra-nginx/defaults/main.yml                | 1 +
 roles/float-infra-nginx/tasks/nginx.yml                  | 4 ++--
 roles/float-infra-nginx/templates/config/conf.d/ssl.conf | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/playbooks/init-credentials.yml b/playbooks/init-credentials.yml
index 6c02e0eb..ae9b666e 100644
--- a/playbooks/init-credentials.yml
+++ b/playbooks/init-credentials.yml
@@ -62,4 +62,4 @@
       loop: "{{ x509_ca_list | default(default_x509_ca_list) }}"
 
     - name: Generate global DH params
-      local_action: command openssl dhparam -out "{{ credentials_dir }}/x509/dhparam" "{{ dhparam_bits | default('2048') }}" creates="{{ credentials_dir }}/x509/dhparam"
+      local_action: command openssl dhparam -out "{{ credentials_dir }}/x509/dhparam-{{ dhparam_bits | default('2048') }}" "{{ dhparam_bits | default('2048') }}" creates="{{ credentials_dir }}/x509/dhparam-{{ dhparam_bits | default('2048') }}"
diff --git a/roles/float-infra-nginx/defaults/main.yml b/roles/float-infra-nginx/defaults/main.yml
index 50b41600..23e9ff29 100644
--- a/roles/float-infra-nginx/defaults/main.yml
+++ b/roles/float-infra-nginx/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+# If you change this default, you also need to change playbooks/init-credentials.yml.
 dhparam_bits: 2048
 
 # Ports that NGINX should bind to. Only change if you are setting
diff --git a/roles/float-infra-nginx/tasks/nginx.yml b/roles/float-infra-nginx/tasks/nginx.yml
index 7d0c0722..e4ba5f2d 100644
--- a/roles/float-infra-nginx/tasks/nginx.yml
+++ b/roles/float-infra-nginx/tasks/nginx.yml
@@ -79,8 +79,8 @@
 
 - name: Install DH parameters
   copy:
-    src: "{{ credentials_dir }}/x509/dhparam"
-    dest: /etc/nginx/dhparam
+    src: "{{ credentials_dir }}/x509/dhparam-{{ dhparam_bits }}"
+    dest: /etc/nginx/dhparam-{{ dhparam_bits }}
 
 - name: Install NGINX config (dirs)
   file:
diff --git a/roles/float-infra-nginx/templates/config/conf.d/ssl.conf b/roles/float-infra-nginx/templates/config/conf.d/ssl.conf
index 99ab8b11..e0eac160 100644
--- a/roles/float-infra-nginx/templates/config/conf.d/ssl.conf
+++ b/roles/float-infra-nginx/templates/config/conf.d/ssl.conf
@@ -3,7 +3,7 @@ ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 5m;
-ssl_dhparam /etc/nginx/dhparam;
+ssl_dhparam /etc/nginx/dhparam-{{ dhparam_bits }};
 ssl_ecdh_curve secp384r1;
 
 # Allow longer keepalive timeouts for SSL connections.
-- 
GitLab