From 9ab4e3f41140eb8de5d8b959a7ae9a61a17dd9ad Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Mon, 19 Sep 2016 11:35:30 -0400
Subject: [PATCH] Added dhparam file creation

In order to improve security and ease of use, added creation/generation
of dhparam file.
---
 nginx/ng/certificates.sls | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/nginx/ng/certificates.sls b/nginx/ng/certificates.sls
index 8fdc54f..ea74c28 100644
--- a/nginx/ng/certificates.sls
+++ b/nginx/ng/certificates.sls
@@ -2,6 +2,24 @@ include:
   - nginx.ng.service
 
 {% set certificates_path = salt['pillar.get']('nginx:ng:certificates_path', '/etc/nginx/ssl') %}
+
+{% if salt.pillar.get('nginx:ng:dh_contents') %}
+create_nginx_dhparam_key:
+  file.managed:
+    - name: {{ certificates_path }}/dhparam.pem
+    - contents_pillar: nginx:ng:dh_contents
+    - makedirs: True
+{% elif salt.pillar.get('nginx:ng:dh_keygen', False) %}
+generate_nginx_dhparam_key:
+  file.directory:
+    - name: {{ certificates_path }}
+    - makedirs: True
+  cmd.run:
+    - name: openssl dhparam -out dhparam.pem {{ salt.pillar.get('nginx:ng:dh_keysize', 2048) }}
+    - cwd: {{ certificates_path }}
+    - creates: {{ certificates_path }}/dhparam.pem
+{% endif %}
+
 {%- for domain in salt['pillar.get']('nginx:ng:certificates', {}).keys() %}
 
 nginx_{{ domain }}_ssl_certificate: