diff options
| author | aszlig <aszlig@nix.build> | 2018-05-08 02:09:46 +0200 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2018-05-08 02:09:46 +0200 |
| commit | 78b4b90d6c9a3310b8a8ba3ac450240d03199bf0 (patch) | |
| tree | 8483a3ca0be5a7616e90ccde499429d9d7ae1fe0 /nixos/doc | |
| parent | ec198337c4d50e4bd94e84db6bc886d375761564 (diff) | |
| parent | a8b7372380725af56c213cdb01893640d5097c16 (diff) | |
| download | nixlib-78b4b90d6c9a3310b8a8ba3ac450240d03199bf0.tar nixlib-78b4b90d6c9a3310b8a8ba3ac450240d03199bf0.tar.gz nixlib-78b4b90d6c9a3310b8a8ba3ac450240d03199bf0.tar.bz2 nixlib-78b4b90d6c9a3310b8a8ba3ac450240d03199bf0.tar.lz nixlib-78b4b90d6c9a3310b8a8ba3ac450240d03199bf0.tar.xz nixlib-78b4b90d6c9a3310b8a8ba3ac450240d03199bf0.tar.zst nixlib-78b4b90d6c9a3310b8a8ba3ac450240d03199bf0.zip | |
Merge pull request #39526 (improve dhparams)
This introduces an option that allows us to turn off stateful generation of Diffie-Hellman parameters, which in some way is still "stateful" as the generated DH params file is non-deterministic. However what we can avoid with this is to have an increased surface for failures during system startup, because generation of the parameters is done during build-time. Aside from adding a NixOS VM test it also restructures the type of the security.dhparams.params option, so that it's a submodule. A new defaultBitSize option is also there to allow users to set a system-wide default. I added a release notes entry that described what has changed and also included a few notes for module developers using this module, as the first usage already popped up in NixOS/nixpkgs#39507. Thanks to @Ekleog and @abbradar for reviewing.
Diffstat (limited to 'nixos/doc')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-1809.xml | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index 7136f4540502..7259be4c904c 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -175,6 +175,58 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' for further reference. </para> </listitem> + <listitem> + <para> + The module for <option>security.dhparams</option> has two new options now: + </para> + + <variablelist> + <varlistentry> + <term><option>security.dhparams.stateless</option></term> + <listitem><para> + Puts the generated Diffie-Hellman parameters into the Nix store instead + of managing them in a stateful manner in + <filename class="directory">/var/lib/dhparams</filename>. + </para></listitem> + </varlistentry> + <varlistentry> + <term><option>security.dhparams.defaultBitSize</option></term> + <listitem><para> + The default bit size to use for the generated Diffie-Hellman parameters. + </para></listitem> + </varlistentry> + </variablelist> + + <note><para> + The path to the actual generated parameter files should now be queried + using + <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal> + because it might be either in the Nix store or in a directory configured + by <option>security.dhparams.path</option>. + </para></note> + + <note> + <title>For developers:</title> + <para> + Module implementers should not set a specific bit size in order to let + users configure it by themselves if they want to have a different bit + size than the default (2048). + </para> + <para> + An example usage of this would be: +<programlisting> +{ config, ... }: + +{ + security.dhparams.params.myservice = {}; + environment.etc."myservice.conf".text = '' + dhparams = ${config.security.dhparams.params.myservice.path} + ''; +} +</programlisting> + </para> + </note> + </listitem> </itemizedlist> </section> </section> |