From: Ralf Jung Date: Fri, 11 May 2018 08:47:45 +0000 (+0200) Subject: Move dh2048 creation to base, remove server-scripts from base X-Git-Url: https://git.ralfj.de/ansible.git/commitdiff_plain/7324fa78958c5053ac8d02e70e3bad248d0a74e8?ds=inline Move dh2048 creation to base, remove server-scripts from base --- diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 5f264c6..0bc1caf 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -16,12 +16,11 @@ apt: name=needrestart state=latest default_release={{ansible_distribution_release}}-backports - name: install some basic tools apt: name=aptitude,rsync,git,mercurial,curl,apt-transport-https,psmisc,dnsutils,tree,htop state=latest -# server-scripts -- name: clone server-scripts git repository - git: - dest: /root/server-scripts - repo: 'https://git.ralfj.de/server-scripts.git' - version: 07d301fd8adeaf8ad40591a418da394ad37816ce +# dh2048 +- name: create dh2048 file + command: openssl dhparam -out /etc/ssl/dh2048.pem 2048 + args: + creates: "/etc/ssl/dh2048.pem" # configuration - name: configure root shell copy: diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml deleted file mode 100644 index b05f8de..0000000 --- a/roles/postfix/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -postfix: - paths: - dh2048: /etc/ssl/dh2048.pem diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index 45eb9ee..af796d3 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -1,8 +1,3 @@ -# base -- name: create dh2048 file - command: openssl dhparam -out {{ postfix.paths.dh2048 }} 2048 - args: - creates: "{{ postfix.paths.dh2048 }}" # daemons - import_tasks: unbound.yml tags: unbound diff --git a/roles/postfix/templates/main.cf b/roles/postfix/templates/main.cf index fa2082c..4488ec4 100644 --- a/roles/postfix/templates/main.cf +++ b/roles/postfix/templates/main.cf @@ -13,7 +13,7 @@ smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_security_level = may smtpd_tls_loglevel = 1 -smtpd_tls_dh1024_param_file = {{ postfix.paths.dh2048 }} +smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtpd_tls_ciphers = low smtpd_tls_mandatory_ciphers = high diff --git a/roles/prosody/defaults/main.yml b/roles/prosody/defaults/main.yml index 9fc3074..ebe7068 100644 --- a/roles/prosody/defaults/main.yml +++ b/roles/prosody/defaults/main.yml @@ -1,4 +1,3 @@ prosody: paths: modules: /var/lib/prosody/modules - dh2048: /etc/ssl/dh2048.pem diff --git a/roles/prosody/templates/prosody.cfg.lua b/roles/prosody/templates/prosody.cfg.lua index 4f99029..fd805cc 100644 --- a/roles/prosody/templates/prosody.cfg.lua +++ b/roles/prosody/templates/prosody.cfg.lua @@ -119,7 +119,7 @@ ssl = { key = "/etc/ssl/private/letsencrypt/live.key"; certificate = "/etc/ssl/mycerts/letsencrypt/live.crt+chain"; ciphers = "ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:!3DES"; - dhparam = "{{ prosody.paths.dh2048 }}"; + dhparam = "/etc/ssl/dh2048.pem"; } -- support legacy clients legacy_ssl_ports = { 5223 }