diff options
| author | aszlig <aszlig@nix.build> | 2018-04-26 06:19:48 +0200 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2018-04-26 08:04:48 +0200 |
| commit | 761266bd18cf1117a11d2fd6168259f7fe867122 (patch) | |
| tree | b3d419e6d5450cb915475c81c2bca654ec493407 /nixos/modules/security/dhparams.nix | |
| parent | 4de774a63bef6d97246641212d8c38cc34ff6665 (diff) | |
| download | nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar.gz nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar.bz2 nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar.lz nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar.xz nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar.zst nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.zip | |
nixos/dhparams: Turn params into a submodule
We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
Diffstat (limited to 'nixos/modules/security/dhparams.nix')
| -rw-r--r-- | nixos/modules/security/dhparams.nix | 64 |
1 files changed, 47 insertions, 17 deletions
diff --git a/nixos/modules/security/dhparams.nix b/nixos/modules/security/dhparams.nix index 55c75713101d..7c9fe986e576 100644 --- a/nixos/modules/security/dhparams.nix +++ b/nixos/modules/security/dhparams.nix @@ -1,10 +1,38 @@ { config, lib, pkgs, ... }: with lib; + let cfg = config.security.dhparams; -in -{ + + paramsSubmodule = { name, config, ... }: { + options.bits = mkOption { + type = types.addCheck types.int (b: b >= 16) // { + name = "bits"; + description = "integer of at least 16 bits"; + }; + default = 4096; + description = '' + The bit size for the prime that is used during a Diffie-Hellman + key exchange. + ''; + }; + + options.path = mkOption { + type = types.path; + readOnly = true; + description = '' + The resulting path of the generated Diffie-Hellman parameters + file for other services to reference. This could be either a + store path or a file inside the directory specified by + <option>security.dhparams.path</option>. + ''; + }; + + config.path = "${cfg.path}/${name}.pem"; + }; + +in { options = { security.dhparams = { params = mkOption { @@ -14,21 +42,23 @@ in The value is the size (in bits) of the DH params to generate. The generated DH params path can be found in - <filename><replaceable>security.dhparams.path</replaceable>/<replaceable>name</replaceable>.pem</filename>. + <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>. - Note: The name of the DH params is taken as being the name of the - service it serves: the params will be generated before the said - service is started. + <note><para>The name of the DH params is taken as being the name of + the service it serves and the params will be generated before the + said service is started.</para></note> - Warning: If you are removing all dhparams from this list, you have - to leave security.dhparams.enable for at least one activation in - order to have them be cleaned up. This also means if you rollback to - a version without any dhparams the existing ones won't be cleaned - up. + <warning><para>If you are removing all dhparams from this list, you + have to leave <option>security.dhparams.enable</option> for at + least one activation in order to have them be cleaned up. This also + means if you rollback to a version without any dhparams the + existing ones won't be cleaned up.</para></warning> ''; - type = with types; attrsOf int; + type = with types; let + coerce = bits: { inherit bits; }; + in attrsOf (coercedTo types.int coerce (submodule paramsSubmodule)); default = {}; - example = { nginx = 3072; }; + example = literalExample "{ nginx.bits = 3072; }"; }; path = mkOption { @@ -71,10 +101,10 @@ in if [ ! -f "$file" ]; then continue fi - '' + concatStrings (mapAttrsToList (name: value: + '' + concatStrings (mapAttrsToList (name: { bits, ... }: '' if [ "$file" == "${cfg.path}/${name}.pem" ] && \ - ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then + ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString bits} bit)" > /dev/null; then continue fi '' @@ -89,7 +119,7 @@ in ''; }; } // - mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" { + mapAttrs' (name: { bits, ... }: nameValuePair "dhparams-gen-${name}" { description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet"; after = [ "dhparams-init.service" ]; before = [ "${name}.service" ]; @@ -99,7 +129,7 @@ in '' mkdir -p ${cfg.path} if [ ! -f ${cfg.path}/${name}.pem ]; then - ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value} + ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString bits} fi ''; }) cfg.params; |