use ansible dhparam module (dev-sec#32)

* use ansible dhparam module
divialth · Aug 28, 2020 · 34a48f7 · 34a48f7
1 parent 78130b5
commit 34a48f7
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 11 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -102,7 +102,7 @@ script:
   - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-nginx-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
   # Install ansible galaxy requirements
-  - 'docker exec "$(cat ${container_id})" ansible-galaxy -c install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/'
+  - 'docker exec "$(cat ${container_id})" ansible-galaxy install --ignore-certs -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/'
 
   # Test role
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/tests/"${test_playbook}" -vv'

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -85,15 +85,10 @@
     - "/etc/nginx/sites-enabled/default"
 
 - name: generate dh group
-  command: "openssl dhparam -out /etc/nginx/dh{{ nginx_dh_size }}.pem {{ nginx_dh_size }}"
-  args:
-    creates: "/etc/nginx/dh{{ nginx_dh_size }}.pem"
-  notify: restart nginx
-
-- name: config should not be worldwide read- or writeable
-  file:
-    path: "/etc/nginx"
-    mode: "o-rw"
+  openssl_dhparam:
+    path: "/etc/nginx/dh{{ nginx_dh_size }}.pem"
+    size: "{{ nginx_dh_size }}"
+    mode: '0640'
     owner: "root"
     group: "root"
-    recurse: true
+  notify: restart nginx