From d10a4b69962d07e31bd2be65dc044c0268ec28a6 Mon Sep 17 00:00:00 2001
From: Justin Wind <j.wind@partner.samsung.com>
Date: Mon, 23 Oct 2017 10:53:54 -0700
Subject: [PATCH] generate dhparam locally rather than on vpn server

---
 generate-ansible-vpcaccess-vars.sh | 15 ++++++++++++++-
 roles/msca-openvpn/tasks/main.yml  | 10 ++++------
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/generate-ansible-vpcaccess-vars.sh b/generate-ansible-vpcaccess-vars.sh
index e951308..fcdf8ea 100755
--- a/generate-ansible-vpcaccess-vars.sh
+++ b/generate-ansible-vpcaccess-vars.sh
@@ -14,6 +14,7 @@ crl_pem="${1}_ca/pki/crl.pem"
 cert="${1}_ca/pki/issued/${2}.${1}.crt"
 key="${1}_ca/pki/private/${2}.${1}.key"
 ta_secret="${1}_ca/pki/ta.key"
+dhparam="${1}_ca/pki/dh.pem"
 
 # reuse any extant quagga password
 for v in "${1}"/group_vars/*vpcaccess*
@@ -23,11 +24,20 @@ do
 		echo "found multiple potential quagga passwords; the chosen one may not be correct" 1>&2
 	fi
 	quagga_password=$(awk '/QUAGGA_PASSWORD:/{print $2}' "${v}")
+
+	if [ -n "${quagga_key}" ]
+	then
+		echo "found multiple potential quagga keys; the chosen one may not be correct" 1>&2
+	fi
 done
 if [ -z "${quagga_password}" ]
 then
 	quagga_password=$(pwgen -y 16)
 fi
+if [ -z "${quagga_key}" ]
+then
+	quagga_key=$(pwgen -y 16)
+fi
 
 function onlycert(){
 	sed -n '/-----BEGIN /,/-----END /p' "$@"
@@ -38,7 +48,8 @@ function indent(){
 
 cat<<EOF
 ---
-QUAGGA_PASSWORD: "${quagga_password}"
+QUAGGA_PASSWORD: ${quagga_password}
+QUAGGA_KEY: ${quagga_key}
 ca_name: $1
 ca_cert: |
 $(indent "${ca_cert}")
@@ -50,4 +61,6 @@ key: |
 $(indent "${key}")
 ta_secret: |
 $(indent "${ta_secret}")
+dhparam: |
+$(onlycert "${dhparam}" | indent)
 EOF
diff --git a/roles/msca-openvpn/tasks/main.yml b/roles/msca-openvpn/tasks/main.yml
index 13ae87a..d58cb3b 100644
--- a/roles/msca-openvpn/tasks/main.yml
+++ b/roles/msca-openvpn/tasks/main.yml
@@ -9,7 +9,7 @@
     - cert != ''
     - key != ''
     - ta_secret != ''
-
+    - dhparam != ''
   tags: ['check_vars']
 
 - assert:
@@ -104,13 +104,11 @@
     group: openvpn
     mode: "0755"
 
-- name: generate dh parameters
-  command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
-  args:
-    creates: /etc/openvpn/keys/dh.pem
-
 - name: install keys
   with_items:
+  - file: dh.pem
+    content: "{{ dhparam }}"
+    mode: "0444"
   - file: ca.{{ ca_name|lower }}.crt
     content: "{{ ca_cert }}"
     mode: "0400"
-- 
2.43.2