diff options
author | Léo Gaspard <leo@gaspard.io> | 2017-02-10 18:36:36 +0100 |
---|---|---|
committer | Léo Gaspard <leo@gaspard.io> | 2017-02-18 00:07:03 +0100 |
commit | e2c78910d1134ee2c971a99d1f577b5d915711b8 (patch) | |
tree | 34496d098bb71539d9af1a8c12eed2b843edcb13 /nixos/modules/security/dhparams.nix | |
parent | 97bf0637d5bec8d1fe7a9b0b5a220528afbac97c (diff) | |
download | nixlib-e2c78910d1134ee2c971a99d1f577b5d915711b8.tar nixlib-e2c78910d1134ee2c971a99d1f577b5d915711b8.tar.gz nixlib-e2c78910d1134ee2c971a99d1f577b5d915711b8.tar.bz2 nixlib-e2c78910d1134ee2c971a99d1f577b5d915711b8.tar.lz nixlib-e2c78910d1134ee2c971a99d1f577b5d915711b8.tar.xz nixlib-e2c78910d1134ee2c971a99d1f577b5d915711b8.tar.zst nixlib-e2c78910d1134ee2c971a99d1f577b5d915711b8.zip |
dhparams module: initialize
Diffstat (limited to 'nixos/modules/security/dhparams.nix')
-rw-r--r-- | nixos/modules/security/dhparams.nix | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/nixos/modules/security/dhparams.nix b/nixos/modules/security/dhparams.nix new file mode 100644 index 000000000000..c16cd2fafef4 --- /dev/null +++ b/nixos/modules/security/dhparams.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.security.dhparams; +in +{ + options = { + security.dhparams = { + params = mkOption { + description = + '' + Diffie-Hellman parameters to generate. + + The value is the size (in bits) of the DH params to generate. The + generated DH params path can be found in + <filename><replaceable>security.dhparams.path</replaceable>/<replaceable>name</replaceable>.pem</filename>. + + Note: The name of the DH params is taken as being the name of the + service it serves: the params will be generated before the said + service is started. + ''; + type = with types; attrsOf int; + default = {}; + example = { nginx = 3072; }; + }; + + path = mkOption { + description = + '' + Path to the directory in which Diffie-Hellman parameters will be + stored. + ''; + type = types.str; + default = "/var/lib/dhparams"; + }; + }; + }; + + config.systemd.services = { + dhparams-init = { + description = "Cleanup old Diffie-Hellman parameters"; + wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set + serviceConfig.Type = "oneshot"; + script = + # Create directory + '' + if [ ! -d ${cfg.path} ]; then + mkdir -p ${cfg.path} + fi + '' + + # Remove old dhparams + '' + for file in ${cfg.path}/*; do + if [ ! -f "$file" ]; then + continue + fi + '' + concatStrings (mapAttrsToList (name: value: + '' + if [ "$file" == "${cfg.path}/${name}.pem" ] && \ + ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then + continue + fi + '' + ) cfg.params) + + '' + rm $file + done + + # TODO: Ideally this would be removing the *former* cfg.path, though this + # does not seem really important + rmdir -p --ignore-fail-on-non-empty ${cfg.path} + ''; + }; + } // + mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" { + description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet"; + after = [ "dhparams-init.service" ]; + before = [ "${name}.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + script = + '' + mkdir -p ${cfg.path} + if [ ! -f ${cfg.path}/${name}.pem ]; then + ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value} + fi + ''; + }) cfg.params; +} |