ansible-infra/ansible_collections/debops/debops/roles/dhparam/tasks/main.yml

---
# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
# Copyright (C) 2015-2017 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only

- name: Import DebOps global handlers
  ansible.builtin.import_role:
    name: 'global_handlers'

- name: Import DebOps secret role
  ansible.builtin.import_role:
    name: 'secret'

- name: Check Ansible Controller library version  # noqa no-shorthand
  ansible.builtin.shell: |
    set -o nounset -o pipefail -o errexit &&
    {% if dhparam__source_library == 'gnutls' %}
    certtool --version | head -n 1 | awk '{print $NF}'
    {% elif dhparam__source_library == 'openssl' %}
    openssl version | awk '{print $2}'
    {% endif %}
  args:
    executable: 'bash'
  changed_when: False
  register: dhparam__register_version
  delegate_to: 'localhost'
  become: False
  run_once: True
  check_mode: False
  tags: [ 'meta::provision' ]

- name: Assert that required software is installed
  ansible.builtin.assert:
    that:
      - 'dhparam__register_version is defined and dhparam__register_version.stdout'
  delegate_to: 'localhost'
  become: False
  run_once: True
  tags: [ 'meta::provision' ]

- name: Create required directories on Ansible Controller
  ansible.builtin.file:
    path: '{{ dhparam__source_path }}'
    state: 'directory'
    mode: '0755'
  delegate_to: 'localhost'
  become: False
  run_once: True
  tags: [ 'meta::provision' ]

- name: Generate Diffie-Hellman params on Ansible Controller  # noqa no-shorthand
  ansible.builtin.command: |
    {% if dhparam__source_library == 'gnutls' %}
    certtool --generate-dh-params
             --outfile {{ dhparam__source_path + "/" + dhparam__prefix + item + dhparam__suffix }}
             --bits {{ item }}
    {% elif dhparam__source_library == 'openssl' %}
    openssl dhparam {{ dhparam__openssl_options }} -out {{ dhparam__source_path + "/" + dhparam__prefix + item + dhparam__suffix }} {{ item }}
    {% endif %}
  args:
    creates: '{{ dhparam__source_path + "/" + dhparam__prefix + item + dhparam__suffix }}'
  with_items: '{{ dhparam__bits }}'
  delegate_to: 'localhost'
  become: False
  run_once: True
  tags: [ 'meta::provision' ]

- name: Install encryption software
  ansible.builtin.package:
    name: '{{ q("flattened", (dhparam__base_packages + dhparam__packages)) }}'
    state: 'present'
  when: dhparam__deploy_state in ['present']
  register: dhparam__register_packages
  until: dhparam__register_packages is succeeded
  tags: [ 'meta::provision' ]

- name: Create required directories
  ansible.builtin.file:
    path: '{{ dhparam__hook_path }}'
    state: 'directory'
    owner: 'root'
    group: 'root'
    mode: '0755'
  when: dhparam__deploy_state in ['present']
  notify: [ 'Regenerate DH parameters on first install' ]

- name: Preseed Diffie-Hellman parameters
  ansible.builtin.copy:
    src: '{{ dhparam__source_path + "/" }}'
    dest: '{{ dhparam__path + "/params/" + dhparam__set_prefix + item + "/" }}'
    owner: 'root'
    group: 'root'
    mode: '0644'
    force: False
  when: dhparam__deploy_state in ['present']
  with_sequence: 'start=0 count={{ dhparam__sets }}'
  notify: [ 'Execute DH parameter hooks' ]

- name: Create default symlinks for all sets
  ansible.builtin.file:
    src: '{{ "params/" + dhparam__set_prefix + item + "/"
             + dhparam__prefix + dhparam__default_length + dhparam__suffix }}'
    path: '{{ dhparam__path + "/" + dhparam__set_prefix + item }}'
    state: 'link'
    mode: '0644'
  when: dhparam__deploy_state in ['present'] and not ansible_check_mode
  with_sequence: 'start=0 count={{ dhparam__sets }}'

- name: Install DHE generation script
  ansible.builtin.template:
    src: 'usr/local/lib/dhparam-generate-params.j2'
    dest: '{{ dhparam__generate_params }}'
    owner: 'root'
    group: 'root'
    mode: '0755'
  when: dhparam__deploy_state in ['present']

- name: Enable periodic DH parameters generation via cron
  ansible.builtin.cron:
    name: 'Generate new Diffie-Hellman ephemeral parameters'
    job: 'test -x {{ dhparam__generate_params }} && {{ dhparam__generate_params }} schedule'
    cron_file: 'dhparam-generate-params'
    user: 'root'
    special_time: '{{ dhparam__generate_cron_period }}'
    state: '{{ "present"
               if (ansible_service_mgr != "systemd" and
                   dhparam__generate_cron | bool and
                   dhparam__deploy_state in ["present"])
               else "absent" }}'
  when: not ansible_check_mode

- name: Setup systemd timer for periodic DH parameter regeneration
  ansible.builtin.template:
    src: '{{ item }}.j2'
    dest: '/{{ item }}'
    owner: 'root'
    group: 'root'
    mode: '0644'
  with_items:
    - 'etc/systemd/system/dhparam-generate-params.service'
    - 'etc/systemd/system/dhparam-generate-params.timer'
  register: dhparam__register_systemd
  when: dhparam__deploy_state in ['present'] and ansible_service_mgr == 'systemd'

- name: Enable systemd timer
  ansible.builtin.systemd:
    daemon_reload: True
    name: 'dhparam-generate-params.timer'
    enabled: '{{ True
                 if (dhparam__generate_cron | bool)
                 else False }}'
    state: '{{ "started"
                 if (dhparam__generate_cron | bool)
                 else "stopped" }}'
  when: dhparam__deploy_state in ['present'] and ansible_service_mgr == 'systemd' and
        not ansible_check_mode

- name: Make sure the Ansible local facts directory exists
  ansible.builtin.file:
    path: '/etc/ansible/facts.d'
    state: 'directory'
    owner: 'root'
    group: 'root'
    mode: '0755'
  when: dhparam__deploy_state in ['present']

- name: Save dhparam local facts
  ansible.builtin.template:
    src: 'etc/ansible/facts.d/dhparam.fact.j2'
    dest: '/etc/ansible/facts.d/dhparam.fact'
    owner: 'root'
    group: 'root'
    mode: '0644'
  notify: [ 'Refresh host facts' ]
  tags: [ 'meta::facts' ]

- name: Gather facts if they changed
  ansible.builtin.meta: 'flush_handlers'