Merge pull request #12968 from andersk/ffdhe2048

nginx: Use fixed ffdhe2048 DH parameter (RFC 7919)

puppet/zulip/files/nginx/dhparam.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

puppet/zulip/manifests/nginx.pp

@@ -3,7 +3,6 @@ class zulip::nginx {
   $web_packages = [
     # Needed to run nginx with the modules we use
     $zulip::common::nginx,
-    'openssl',
     'ca-certificates',
   ]
   package { $web_packages: ensure => 'installed' }
@@ -49,10 +48,14 @@ class zulip::nginx {
     source  => $uploads_route,
   }
 
-  exec { 'dhparam':
+  file { '/etc/nginx/dhparam.pem':
-    command => 'openssl dhparam -out /etc/nginx/dhparam.pem 2048',
+    ensure  => file,
-    creates => '/etc/nginx/dhparam.pem',
+    require => Package[$zulip::common::nginx],
-    require => Package[$zulip::common::nginx, 'openssl'],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    notify  => Service['nginx'],
+    source  => 'puppet:///modules/zulip/nginx/dhparam.pem',
   }
 
   file { '/etc/nginx/nginx.conf':