use a hardcoded dhparam.pem

it doesn't need to be secret, and generating a 4096-bit dhparam takes
quite a long time (long enough to make initial server provisioning
annoyingly long)

2 files changed, 15 insertions, 7 deletions

diff --git a/modules/nginx/files/dhparam.pem b/modules/nginx/files/dhparam.pem
new file mode 100644
index 0000000..4aa2270
--- /dev/null
+++ b/modules/nginx/files/dhparam.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA2Ch/tJWN/Hm/Go2T9Ok542zBAJJxmrIn8ghj/etM1uVQ8viqqDy/
+2RRswFeVJE8S5tf7W7+rPWVp1NzK7Fbxn1eb0r/MdnwgCkzBK2YcbQ6skZZz7lyd
+SXXac4YrdkaG60Bm2WtmHs73pptbxBTkt55yAdTyhm8fvVZewAn2a8GRgn/X9Nb6
+YcpbLa6yh0TA1YP/CckMN5yxI761IXpKXuDMMz/PjI9xK2NSXRCgknrHa71w7E9U
+x86EyeA8VB2baZ2ct0KlaK5MaFPLSSCPBQYxigCvH6apH+U9pho4YSdZL3wLjtzO
+mN7Z8FdhPr2P/Dk0HI4Y2LzJiAQoU2t7zMrGb4y/27zFrApUed6q1lbvJW46g+o0
+zy3fe1nwZ9Ibq0TA6FH0S+FRrSYrJEN1vqosoGJjLJteyddqLV8d6XRhrZaCJmWq
+itlqbYlnbK+rlxlJyuDC6wLMTxa/zYMvYSM0Ez8KKDLh3GNMqiEbccCuS77gvPKP
+hj4Gy0jslUSYSjJebot+wIQsGmAnL5CozEXdGMVahoqZWcqRRGsoVM/3vZ53uLgL
+Cs027wnvkeAnX1sxV/KnrovpVPISkQvG0awCZkjroKMRq33fgymvvvcHo7pGcef+
+7S0XsFBit8LrBT1XGx3VknC8XZ6hAACY1FDMth2J4dx8kqVnd2PH1dMCAQI=
+-----END DH PARAMETERS-----
diff --git a/modules/nginx/manifests/config.pp b/modules/nginx/manifests/config.pp
index 4987851..8a95edd 100644
--- a/modules/nginx/manifests/config.pp
+++ b/modules/nginx/manifests/config.pp
@@ -12,12 +12,7 @@ class nginx::config {
       source => 'puppet:///modules/nginx/mime.types.paste';
     "/etc/nginx/nginx.conf":
       source => 'puppet:///modules/nginx/nginx.conf';
-  }
-
-  exec { 'openssl dhparam -out /etc/nginx/dhparam.pem 4096':
-    path => '/usr/bin',
-    creates => '/etc/nginx/dhparam.pem',
-    timeout => 3600,
-    require => Class["haveged"];
+    "/etc/nginx/dhparam.pem":
+      source => 'puppet:///modules/nginx/dhparam.pem';
   }
 }