debops.dhparam default variables
Sections
Installation
- dhparam__deploy_state
What is the desired state which this role should achieve? Possible options:
present
Default. DH parameters will be present as configured.
absent
DH parameters will be absent.
Warning
The roles is currently not able to dismantle from
present
state. This needs to be implemented. This state can only be achieved currently whenpresent
has never been set before on a host.
dhparam__deploy_state: 'present'
- dhparam__base_packages
List of APT packages which will be installed to support Diffie-Hellman parameters.
dhparam__base_packages:
- [ '{{ "gnutls-bin" if (dhparam__library == "gnutls") else [] }}' ]
- [ '{{ "openssl" if (dhparam__library == "openssl") else [] }}' ]
- dhparam__packages
List of additional APT packages to install.
dhparam__packages: []
Cryptographic parameters
- dhparam__source_library
Cryptographic library which will be used on the Ansible Controller to generate preseeded DH parameters. Supported libraries: openssl, gnutls.
dhparam__source_library: 'openssl'
- dhparam__library
Cryptographic library which will be used on the remote hosts, by default the same as the one used on Ansible Controller. Supported libraries: openssl, gnutls.
dhparam__library: '{{ dhparam__source_library }}'
- dhparam__default_length
Default symlinks will point to a specific Diffie-Hellman parameter file named
dh<length>.pem
. This variable specifies which <length>
value will be
used, which by default is the first value from the list of DH parameter sizes
to generate.
dhparam__default_length: '{{ dhparam__bits[0] }}'
- dhparam__bits
List of Diffie-Hellman parameter sizes to generate. First element of the list will be used as default.
dhparam__bits: [ '3072', '2048' ]
Diffie-Hellman parameter sets
- dhparam__sets
Number of sets of Diffie-Hellman parameters to manage, should be >= 1.
dhparam__sets: '1'
- dhparam__default_set
Name of the default set of Diffie-Hellman parameters.
dhparam__default_set: '{{ dhparam__set_prefix + "0" }}'
- dhparam__set_prefix
Short string prepended to the name of each "set" of Diffie-Hellman parameter directories.
dhparam__set_prefix: 'set'
- dhparam__source_path
Path on the Ansible Controller in the secret/
directory where the initial
set of Diffie-Hellman parameters is stored. See debops.secret role for
more details.
dhparam__source_path: '{{ secret + "/dhparam/params" }}'
- dhparam__path
Directory on the managed hosts where Diffie-Hellman parameter sets are kept and maintained.
dhparam__path: '/etc/pki/dhparam'
- dhparam__prefix
String prepended to the DH parameter file name.
dhparam__prefix: 'dh'
- dhparam__suffix
String appended to the DH parameter file name.
dhparam__suffix: '.pem'
DH parameter generation script
- dhparam__generate_params
Absolute path of the dhparam-generate-params
script on remote hosts.
dhparam__generate_params: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+ "/dhparam-generate-params" }}'
- dhparam__generate_log
Enable or disable log messages from DH generation script.
dhparam__generate_log: True
- dhparam__hook_path
Directory on remote hosts where hook scripts are stored. These hooks will be
run at the end of the Diffie-Hellman generator script using run-parts
.
dhparam__hook_path: '{{ dhparam__path + "/hooks.d" }}'
- dhparam__openssl_options
Provide additional options to the openssl dhparam generator (eg. -dsaparam).
dhparam__openssl_options: ''
Initial Diffie-Hellman re-generation
- dhparam__generate_init
Schedule a background job on the first configuration of debops.dhparam
on
a particular host to re-generate the DH parameters? It will only be done if
the debops.atd role is enabled on the host. If disabled, hosts will use the
default DH parameters seeded from the Ansible Controller.
dhparam__generate_init: True
- dhparam__generate_init_units
Time units used to specify the future time of initial DH re-generation. You
can use minutes
, hours
, days
or weeks
.
dhparam__generate_init_units: 'minutes'
- dhparam__generate_init_count
Unit count of the initial DH re-generation. By default Diffie-Hellman parameters will be re-generated about 20 minutes after the initial Ansible run, depending on system CPU load.
dhparam__generate_init_count: '20'
Periodic Diffie-Hellman re-generation
- dhparam__generate_cron
Enable periodic Diffie-Hellman parameter re-generation. If systemd is present, the role will set up a systemd timer, otherwise the script will be started periodically by cron service.
dhparam__generate_cron: True
- dhparam__generate_cron_period
Time interval between periodical DH parameter re-generation. You can use
units recognized by cron Ansible module special_time
parameter:
daily
, weekly
, monthly
, annually
, yearly
, reboot
.
If systemd is used, see the systemd.time(7) documentation
for possible OnCalendar=
values.
dhparam__generate_cron_period: 'monthly'