From 3e570925f0c0dca8ad348cb5108ac65f2072a412 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robin=20Ob=C5=AFrka?= <robin.oburka@nic.cz>
Date: Tue, 18 Oct 2016 15:16:46 +0200
Subject: nginx: Make DH params optional

This is for early production / development phase.
---
 roles/nginx/defaults/main.yml                            | 2 ++
 roles/nginx/tasks/main.yml                               | 3 ++-
 roles/nginx/templates/snippets/ssl-common.conf.j2        | 2 ++
 roles/nginx/templates/snippets/ssl-medium-common.conf.j2 | 2 ++
 4 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index d59cd9b..e323b04 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -2,6 +2,8 @@
 nginx_well_known_path: "/home/acme/webroot/"
 ## First of all - make sure that HTTPS works well; then is possible to enable HSTS
 nginx_enable_hsts: no
+## Generating DH params takes some time. It could be useful to handle them later.
+nginx_skip_dhparams: False
 ## Control default config uploading
 nginx_deploy_default_config: True
 nginx_enable_autodetection: True
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 4d4b085..2e01d22 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -24,7 +24,7 @@
     creates: /etc/ssl/dh4096.pem
   notify:
   - restart nginx
-  when: dhparams is not defined
+  when: dhparams is not defined and nginx_skip_dhparams == False
 
 - name: Fix dhparams privileges
   file:
@@ -34,6 +34,7 @@
     mode: 0644
   notify:
   - restart nginx
+  when: nginx_skip_dhparams == False
 
 - name: Ensure about snippets directory
   file:
diff --git a/roles/nginx/templates/snippets/ssl-common.conf.j2 b/roles/nginx/templates/snippets/ssl-common.conf.j2
index a7806ac..b9d6e78 100644
--- a/roles/nginx/templates/snippets/ssl-common.conf.j2
+++ b/roles/nginx/templates/snippets/ssl-common.conf.j2
@@ -1,5 +1,7 @@
 ssl on;
+{% if nginx_skip_dhparams == False %}
 ssl_dhparam /etc/ssl/dh4096.pem;
+{% endif %}
 
 ssl_prefer_server_ciphers on;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
diff --git a/roles/nginx/templates/snippets/ssl-medium-common.conf.j2 b/roles/nginx/templates/snippets/ssl-medium-common.conf.j2
index 581f55f..be2b57b 100644
--- a/roles/nginx/templates/snippets/ssl-medium-common.conf.j2
+++ b/roles/nginx/templates/snippets/ssl-medium-common.conf.j2
@@ -1,5 +1,7 @@
 ssl on;
+{% if nginx_skip_dhparams == False %}
 ssl_dhparam /etc/ssl/dh4096.pem;
+{% endif %}
 
 ssl_prefer_server_ciphers on;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-- 
cgit v1.2.3