From 08a37c6dab7d442799d44448e12b2ba8d4d45c4f Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Thu, 28 May 2020 16:23:51 +0200
Subject: [PATCH] nginx/application: Configure dhparams for SSL

---
 roles/nginx/application/defaults/main.yml  | 2 ++
 roles/nginx/application/meta/main.yml      | 1 +
 roles/nginx/application/templates/ssl.conf | 1 +
 3 files changed, 4 insertions(+)

diff --git a/roles/nginx/application/defaults/main.yml b/roles/nginx/application/defaults/main.yml
index 6c890e9..283aa6e 100644
--- a/roles/nginx/application/defaults/main.yml
+++ b/roles/nginx/application/defaults/main.yml
@@ -12,6 +12,8 @@ nginx_global_log_directory: "/var/log/nginx"
 nginx_global_access_log: "{{ nginx_global_log_directory }}/access.log"
 nginx_global_error_log: "{{ nginx_global_log_directory }}/error.log"
 
+# dhparams_remote_path from misc/dhparams
+
 acme_validation_directory: ".well-known/acme-challenge"
 nginx_validation_root_directory: "/var/www/validation"
 nginx_validation_test_file: "{{ nginx_validation_root_directory }}/{{ acme_validation_directory }}/test"
diff --git a/roles/nginx/application/meta/main.yml b/roles/nginx/application/meta/main.yml
index cff3321..29447a6 100644
--- a/roles/nginx/application/meta/main.yml
+++ b/roles/nginx/application/meta/main.yml
@@ -3,4 +3,5 @@
 allow_duplicates: no
 
 dependencies:
+  - role: misc/dhparams
   - role: acme/application
diff --git a/roles/nginx/application/templates/ssl.conf b/roles/nginx/application/templates/ssl.conf
index ae57f97..343d603 100644
--- a/roles/nginx/application/templates/ssl.conf
+++ b/roles/nginx/application/templates/ssl.conf
@@ -4,6 +4,7 @@ ssl_prefer_server_ciphers off;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 1d;
 ssl_session_tickets off;
+ssl_dhparam {{ dhparams_remote_path }};
 ssl_stapling on;
 ssl_stapling_verify on;
 ssl_trusted_certificate /etc/ssl/certs/ISRG_Root_X1.pem;