debops.dhparam default variables

Installation

dhparam__deploy_state

What is the desired state which this role should achieve? Possible options:

present

Default. DH parameters will be present as configured.

absent

DH parameters will be absent.

Warning

The roles is currently not able to dismantle from present state. This needs to be implemented. This state can only be achieved currently when present has never been set before on a host.

dhparam__deploy_state: 'present'
dhparam__base_packages

List of APT packages which will be installed to support Diffie-Hellman parameters.

dhparam__base_packages:
  - [ '{{ "gnutls-bin" if (dhparam__library == "gnutls") else [] }}' ]
  - [ '{{ "openssl" if (dhparam__library == "openssl") else [] }}' ]
dhparam__packages

List of additional APT packages to install.

dhparam__packages: []

Cryptographic parameters

dhparam__source_library

Cryptographic library which will be used on the Ansible Controller to generate preseeded DH parameters. Supported libraries: openssl, gnutls.

dhparam__source_library: 'openssl'
dhparam__library

Cryptographic library which will be used on the remote hosts, by default the same as the one used on Ansible Controller. Supported libraries: openssl, gnutls.

dhparam__library: '{{ dhparam__source_library }}'
dhparam__default_length

Default symlinks will point to a specific Diffie-Hellman parameter file named dh<length>.pem. This variable specifies which <length> value will be used, which by default is the first value from the list of DH parameter sizes to generate.

dhparam__default_length: '{{ dhparam__bits[0] }}'
dhparam__bits

List of Diffie-Hellman parameter sizes to generate. First element of the list will be used as default.

dhparam__bits: [ '3072', '2048' ]

Diffie-Hellman parameter sets

dhparam__sets

Number of sets of Diffie-Hellman parameters to manage, should be >= 1.

dhparam__sets: '1'
dhparam__default_set

Name of the default set of Diffie-Hellman parameters.

dhparam__default_set: '{{ dhparam__set_prefix + "0" }}'
dhparam__set_prefix

Short string prepended to the name of each "set" of Diffie-Hellman parameter directories.

dhparam__set_prefix: 'set'
dhparam__source_path

Path on the Ansible Controller in the secret/ directory where the initial set of Diffie-Hellman parameters is stored. See debops.secret role for more details.

dhparam__source_path: '{{ secret + "/dhparam/params" }}'
dhparam__path

Directory on the managed hosts where Diffie-Hellman parameter sets are kept and maintained.

dhparam__path: '/etc/pki/dhparam'
dhparam__prefix

String prepended to the DH parameter file name.

dhparam__prefix: 'dh'
dhparam__suffix

String appended to the DH parameter file name.

dhparam__suffix: '.pem'

DH parameter generation script

dhparam__generate_params

Absolute path of the dhparam-generate-params script on remote hosts.

dhparam__generate_params: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
                              + "/dhparam-generate-params" }}'
dhparam__generate_log

Enable or disable log messages from DH generation script.

dhparam__generate_log: True
dhparam__hook_path

Directory on remote hosts where hook scripts are stored. These hooks will be run at the end of the Diffie-Hellman generator script using run-parts.

dhparam__hook_path: '{{ dhparam__path + "/hooks.d" }}'
dhparam__openssl_options

Provide additional options to the openssl dhparam generator (eg. -dsaparam).

dhparam__openssl_options: ''

Initial Diffie-Hellman re-generation

dhparam__generate_init

Schedule a background job on the first configuration of debops.dhparam on a particular host to re-generate the DH parameters? It will only be done if the debops.atd role is enabled on the host. If disabled, hosts will use the default DH parameters seeded from the Ansible Controller.

dhparam__generate_init: True
dhparam__generate_init_units

Time units used to specify the future time of initial DH re-generation. You can use minutes, hours, days or weeks.

dhparam__generate_init_units: 'minutes'
dhparam__generate_init_count

Unit count of the initial DH re-generation. By default Diffie-Hellman parameters will be re-generated about 20 minutes after the initial Ansible run, depending on system CPU load.

dhparam__generate_init_count: '20'

Periodic Diffie-Hellman re-generation

dhparam__generate_cron

Enable periodic Diffie-Hellman parameter re-generation. If systemd is present, the role will set up a systemd timer, otherwise the script will be started periodically by cron service.

dhparam__generate_cron: True
dhparam__generate_cron_period

Time interval between periodical DH parameter re-generation. You can use units recognized by cron Ansible module special_time parameter: daily, weekly, monthly, annually, yearly, reboot. If systemd is used, see the systemd.time(7) documentation for possible OnCalendar= values.

dhparam__generate_cron_period: 'monthly'