Skip to content

Instantly share code, notes, and snippets.

@oxc

oxc/dhparams.pp

Created November 23, 2017 13:09
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save oxc/76aa48f6f7a79952d4a9eba33ac2ba07 to your computer and use it in GitHub Desktop.
Save oxc/76aa48f6f7a79952d4a9eba33ac2ba07 to your computer and use it in GitHub Desktop.
Download ZIP
Puppet defined type for regular dhparams re-generation
Raw
dhparams.pp
# create and refresh dh params
define profile::security::dhparams(
String $path = $name,
Integer $length,
$recreate_after = null,
Boolean $selinux = false,
$owner = 'root',
$group = 0,
) {
$tmpfile = "${dirname($path)}/.puppet-${basename($path)}"
if $recreate_after {
tidy { "tidy-refresh dhparams ${name}":
path => $tmpfile,
age => $recreate_after,
type => mtime,
}
} ->
exec { "generate dhparams ${name}":
command => "/usr/bin/openssl dhparam -out ${tmpfile} ${length}",
creates => $tmpfile,
timeout => '-1'
} -> file { $name:
ensure => present,
source => $tmpfile,
owner => $owner,
group => $group,
mode => '0644';
}
if $selinux {
File[$name]{
seltype => 'cert_t',
}
}
}
@oxc
Copy link
Author

oxc commented Nov 23, 2017

Use like

    profile::security::dhparams { "${datadir}/dh2048.pem":
      length => 2048,
      recreate_after => "2w",
      notify => Service[postfix],
    }
    profile::security::dhparams { "${datadir}/dh512.pem":
      length => 512,
      recreate_after => "2w",
      notify => Service[postfix],
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment