debops.dhparam default variables¶
Sections
Installation¶
-
dhparam__deploy_state
¶
What is the desired state which this role should achieve? Possible options:
present
- Default. DH parameters will be present as configured.
absent
DH parameters will be absent.
Warning
The roles is currently not able to dismantle from
present
state. This needs to be implemented. This state can only be achieved currently whenpresent
has never been set before on a host.
dhparam__deploy_state: 'present'
-
dhparam__base_packages
¶
List of APT packages which will be installed to support Diffie-Hellman parameters.
dhparam__base_packages:
- [ '{{ "gnutls-bin" if (dhparam__library == "gnutls") else [] }}' ]
- [ '{{ "openssl" if (dhparam__library == "openssl") else [] }}' ]
-
dhparam__packages
¶
List of additional APT packages to install.
dhparam__packages: []
Cryptographic parameters¶
-
dhparam__source_library
¶
Cryptographic library which will be used on the Ansible Controller to generate preseeded DH parameters. Supported libraries: openssl, gnutls.
dhparam__source_library: 'openssl'
-
dhparam__library
¶
Cryptographic library which will be used on the remote hosts, by default the same as the one used on Ansible Controller. Supported libraries: openssl, gnutls.
dhparam__library: '{{ dhparam__source_library }}'
-
dhparam__default_length
¶
Default symlinks will point to a specific Diffie-Hellman parameter file named
dh<length>.pem
. This variable specifies which <length>
value will be
used, which by default is the first value from the list of DH parameter sizes
to generate.
dhparam__default_length: '{{ dhparam__bits[0] }}'
-
dhparam__bits
¶
List of Diffie-Hellman parameter sizes to generate. First element of the list will be used as default.
dhparam__bits: [ '3072', '2048' ]
Diffie-Hellman parameter sets¶
-
dhparam__sets
¶
Number of sets of Diffie-Hellman parameters to manage, should be >= 1.
dhparam__sets: '1'
-
dhparam__default_set
¶
Name of the default set of Diffie-Hellman parameters.
dhparam__default_set: '{{ dhparam__set_prefix + "0" }}'
-
dhparam__set_prefix
¶
Short string prepended to the name of each "set" of Diffie-Hellman parameter directories.
dhparam__set_prefix: 'set'
-
dhparam__source_path
¶
Path on the Ansible Controller in the secret/
directory where the initial
set of Diffie-Hellman parameters is stored. See debops.secret role for
more details.
dhparam__source_path: '{{ secret + "/dhparam/params" }}'
-
dhparam__path
¶
Directory on the managed hosts where Diffie-Hellman parameter sets are kept and maintained.
dhparam__path: '/etc/pki/dhparam'
-
dhparam__prefix
¶
String prepended to the DH parameter file name.
dhparam__prefix: 'dh'
-
dhparam__suffix
¶
String appended to the DH parameter file name.
dhparam__suffix: '.pem'
DH parameter generation script¶
-
dhparam__generate_params
¶
Absolute path of the dhparam-generate-params
script on remote hosts.
dhparam__generate_params: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+ "/dhparam-generate-params" }}'
-
dhparam__generate_log
¶
Enable or disable log messages from DH generation script.
dhparam__generate_log: True
-
dhparam__hook_path
¶
Directory on remote hosts where hook scripts are stored. These hooks will be
run at the end of the Diffie-Hellman generator script using run-parts
.
dhparam__hook_path: '{{ dhparam__path + "/hooks.d" }}'
-
dhparam__openssl_options
¶
Provide additional options to the openssl dhparam generator (eg. -dsaparam).
dhparam__openssl_options: ''
Initial Diffie-Hellman re-generation¶
-
dhparam__generate_init
¶
Schedule a background job on the first configuration of debops.dhparam
on
a particular host to re-generate the DH parameters? It will only be done if
the debops.atd role is enabled on the host. If disabled, hosts will use the
default DH parameters seeded from the Ansible Controller.
dhparam__generate_init: True
-
dhparam__generate_init_units
¶
Time units used to specify the future time of initial DH re-generation. You
can use minutes
, hours
, days
or weeks
.
dhparam__generate_init_units: 'minutes'
-
dhparam__generate_init_count
¶
Unit count of the initial DH re-generation. By default Diffie-Hellman parameters will be re-generated about 20 minutes after the initial Ansible run, depending on system CPU load.
dhparam__generate_init_count: '20'
Periodic Diffie-Hellman re-generation¶
-
dhparam__generate_cron
¶
Enable periodic Diffie-Hellman parameter re-generation. If systemd is present, the role will set up a systemd timer, otherwise the script will be started periodically by cron service.
dhparam__generate_cron: True
-
dhparam__generate_cron_period
¶
Time interval between periodical DH parameter re-generation. You can use
units recognized by cron Ansible module special_time
parameter:
daily
, weekly
, monthly
, annually
, yearly
, reboot
.
If systemd is used, see the systemd.time(7) documentation
for possible OnCalendar=
values.
dhparam__generate_cron_period: 'monthly'