ansible-playbooks/roles/ca/tasks/gen_dhparam.yml

- name: define dh param dict
  set_fact:
    dh: "{{ {'remote_gen': true, 'size': 2048, 'backup': false} | combine(dh_params | d({})) }}"


- name: check if dhparam file exists
  stat:
    path: "{{ dh.path | mandatory }}"
  register: res


- block:
  - name: ensure cryptography toolkit is installed
    include_tasks: tasks/install_packages.yml
    vars:
      package:
        - alpine: py3-cryptography
          debian: python3-cryptography
    when: dh.remote_gen == false


  - block:
    - name: wait until ca becomes available
      wait_for_connection:
        timeout: 10

    - name: create temporary file for dh params
      tempfile:
        state: file
      register: tf

    delegate_to: "{{ services.ca.hostname }}"
    when: dh.remote_gen == true


  - name: generate dh params
    community.crypto.openssl_dhparam:
      path: "{%- if dh.remote_gen == false -%}{{ dh.path | mandatory }}\
             {%- else -%}{{ tf.path }}\
             {%- endif -%}"
      size: "{{ dh.size }}"
      backup: "{{ dh.backup }}"
      mode: "{{ (dh.mode | d('0400')) if (dh.remote_gen == false) else '0400' }}"
      owner: "{{ (dh.owner | d(omit)) if (dh.remote_gen == false) else omit }}"
      group: "{{ (dh.group | d(omit)) if (dh.remote_gen == false) else omit }}"
      return_content: "{{ dh.remote_gen == true }}"
    delegate_to: "{{ inventory_hostname if (dh.remote_gen == false) else services.ca.hostname }}"
    notify: "{{ dh.notify | d(omit) }}"
    register: dh_result


  - block:
    - name: remove temporary file
      file:
        path: "{{ tf.path }}"
        state: absent
      delegate_to: "{{ services.ca.hostname }}"

    - name: copy dh result to remote node
      copy:
        content: "{{ dh_result.dhparams }}"
        dest: "{{ dh.path | mandatory }}"
        mode: "{{ dh.mode | d('0400') }}"
        owner: "{{ dh.owner | d(omit) }}"
        group: "{{ dh.group | d(omit) }}"

    when: dh.remote_gen == true

  when: (not res.stat.exists) or (dh.remote_gen == false)


- name: unset dh param dict
  set_fact:
    dh: "{{ {} }}"
init 2 years ago			`- name: define dh param dict`
			`set_fact:`
			`dh: "{{ {'remote_gen': true, 'size': 2048, 'backup': false} \| combine(dh_params \| d({})) }}"`


			`- name: check if dhparam file exists`
			`stat:`
			`path: "{{ dh.path \| mandatory }}"`
			`register: res`


			`- block:`
			`- name: ensure cryptography toolkit is installed`
			`include_tasks: tasks/install_packages.yml`
			`vars:`
			`package:`
			`- alpine: py3-cryptography`
			`debian: python3-cryptography`
			`when: dh.remote_gen == false`


			`- block:`
			`- name: wait until ca becomes available`
			`wait_for_connection:`
			`timeout: 10`

			`- name: create temporary file for dh params`
			`tempfile:`
			`state: file`
			`register: tf`

			`delegate_to: "{{ services.ca.hostname }}"`
			`when: dh.remote_gen == true`


			`- name: generate dh params`
			`community.crypto.openssl_dhparam:`
			`path: "{%- if dh.remote_gen == false -%}{{ dh.path \| mandatory }}\`
			`{%- else -%}{{ tf.path }}\`
			`{%- endif -%}"`
			`size: "{{ dh.size }}"`
			`backup: "{{ dh.backup }}"`
			`mode: "{{ (dh.mode \| d('0400')) if (dh.remote_gen == false) else '0400' }}"`
			`owner: "{{ (dh.owner \| d(omit)) if (dh.remote_gen == false) else omit }}"`
			`group: "{{ (dh.group \| d(omit)) if (dh.remote_gen == false) else omit }}"`
			`return_content: "{{ dh.remote_gen == true }}"`
			`delegate_to: "{{ inventory_hostname if (dh.remote_gen == false) else services.ca.hostname }}"`
			`notify: "{{ dh.notify \| d(omit) }}"`
			`register: dh_result`


			`- block:`
			`- name: remove temporary file`
			`file:`
			`path: "{{ tf.path }}"`
			`state: absent`
			`delegate_to: "{{ services.ca.hostname }}"`

			`- name: copy dh result to remote node`
			`copy:`
			`content: "{{ dh_result.dhparams }}"`
			`dest: "{{ dh.path \| mandatory }}"`
			`mode: "{{ dh.mode \| d('0400') }}"`
			`owner: "{{ dh.owner \| d(omit) }}"`
			`group: "{{ dh.group \| d(omit) }}"`

			`when: dh.remote_gen == true`

			`when: (not res.stat.exists) or (dh.remote_gen == false)`


			`- name: unset dh param dict`
			`set_fact:`
			`dh: "{{ {} }}"`