- name: check if /etc/ssl/dh4096.pem
  stat:
    path: /etc/ssl/dh4096.pem
  register: st
  tags: dh

- name: generate a new /etc/ssl/dh4096.pem
  shell: openssl dhparam -out /etc/ssl/dh4096.pem -outform PEM -2 4096
  when: not st.stat.exists
  tags: dh

- name: set attributes on /etc/ssl/dh4096.pem
  file:
    path: /etc/ssl/dh4096.pem
    owner: root
    group: www-data
    mode: 0640
  tags: dh