Support generation of dhparam

Note: Default length is 2048 bits, but can be changed by var

defaults/main.yml

@@ -22,3 +22,6 @@ snippet_files:
 
 
 #default_robots_file: 'robots_disallow_all.txt'
+
+
+nginx__dhparam_size: 2048

files/nginx/snippets/tls_parameters.snippet.conf

@@ -1,9 +1,9 @@
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 
+ssl_dhparam /etc/nginx/private/dhparam.pem;
+
 #ssl_stapling on;
 #ssl_stapling_verify on;
 #resolver 8.8.8.8 1.1.1.1 valid=300s;
 #resolver_timeout 3s;
-
-#ssl_dhparam /etc/ssl/private/site.dh;

tasks/nginx.yml

@@ -14,16 +14,29 @@
     - nginx
 
 
-#- name: Create strong dhparams
+- name: Create 'private' directory
-#  openssl_dhparam:
+  file:
-#    path: '/etc/nginx/dhparam.pem'
+    path: '/etc/nginx/private'
-#    size: 4096
+    state: directory
-#  notify:
+    owner: root
-#    - Reload nginx
+    group: root
-#  tags:
+    mode: 'u=rwx,g=rx,o=rx'
-#    - configuration
+  tags:
-#    - nginx
+    - configuration
-#    - dhparam
+    - nginx
+    - dhparam
+
+
+- name: Create new dhparam of size '{{ nginx__dhparam_size }}'
+  openssl_dhparam:
+    path: '/etc/nginx/private/dhparam.pem'
+    size: '{{ nginx__dhparam_size | mandatory }}'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - dhparam
 
 
 - name: Create 'sites-available' directory