generate dhparam locally rather than on vpn server

[awsible] / roles / msca-openvpn / tasks / main.yml

diff --git a/roles/msca-openvpn/tasks/main.yml b/roles/msca-openvpn/tasks/main.yml
index 13ae87af6393b2520d83db212ef5ad3d0ec8a068..d58cb3b3cd5d2f49987078eb1b884c06d5547301 100644 (file)
--- a/roles/msca-openvpn/tasks/main.yml
+++ b/roles/msca-openvpn/tasks/main.yml
@@ -9,7 +9,7 @@
     - cert != ''
     - key != ''
     - ta_secret != ''
-
+    - dhparam != ''
   tags: ['check_vars']
 
 - assert:
@@ -104,13 +104,11 @@
     group: openvpn
     mode: "0755"
 
-- name: generate dh parameters
-  command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
-  args:
-    creates: /etc/openvpn/keys/dh.pem
-
 - name: install keys
   with_items:
+  - file: dh.pem
+    content: "{{ dhparam }}"
+    mode: "0444"
   - file: ca.{{ ca_name|lower }}.crt
     content: "{{ ca_cert }}"
     mode: "0400"