From 9f55919e4c8515dc557c263e6b07ea8774170fa5 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Wed, 3 Mar 2021 18:51:11 +0200
Subject: [PATCH] Force recreate dhparams if older than 4 weeks.

---
 tasks/renew-cert.yaml | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/tasks/renew-cert.yaml b/tasks/renew-cert.yaml
index 90e0fb5..5531dcf 100644
--- a/tasks/renew-cert.yaml
+++ b/tasks/renew-cert.yaml
@@ -134,13 +134,23 @@
   notify: '{{ handlers|default([]) }}'
 
 - name: Generate Diffie-Hellman parameters on {{ host }}
-  delegate_to: *delegate_to
-  community.crypto.openssl_dhparam:
-    force: true
-    mode: 0o0644
-    path: /var/ssl/dhparams
-    size: 4096
-    state: present
-  notify: '{{ handlers|default([]) }}'
   tags:
     - dhparams
+  delegate_to: *delegate_to
+  block:
+    - name: Get dhparams file stat
+      ansible.builtin.stat:
+        path: &dhparams /var/ssl/dhparams
+      register: dhparams_stat
+
+    - name: Generate Diffie-Hellman parameters on {{ host }}
+      community.crypto.openssl_dhparam:
+        # yamllint disable rule:line-length
+        force: |-
+          {{ (ansible_date_time.epoch|int - dhparams_stat.stat.mtime|int)/(60*60*24*7) >= 0 }}
+        # yamllint enable rule:line-length
+        mode: 0o0644
+        path: *dhparams
+        size: 4096
+        state: present
+      notify: '{{ handlers|default([]) }}'
-- 
GitLab