diff options
author | Robin Gloster <mail@glob.in> | 2017-02-23 17:16:04 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-02-23 17:16:04 +0100 |
commit | 940492cef5e0180dc8aec51777372748f5e496e9 (patch) | |
tree | d50722c8ffe074db95374d69f091fffb090a85cc /nixos/modules | |
parent | cb63a0b2dad24105618c7df1d0e0032dba96889f (diff) | |
parent | e2c78910d1134ee2c971a99d1f577b5d915711b8 (diff) | |
download | nixlib-940492cef5e0180dc8aec51777372748f5e496e9.tar nixlib-940492cef5e0180dc8aec51777372748f5e496e9.tar.gz nixlib-940492cef5e0180dc8aec51777372748f5e496e9.tar.bz2 nixlib-940492cef5e0180dc8aec51777372748f5e496e9.tar.lz nixlib-940492cef5e0180dc8aec51777372748f5e496e9.tar.xz nixlib-940492cef5e0180dc8aec51777372748f5e496e9.tar.zst nixlib-940492cef5e0180dc8aec51777372748f5e496e9.zip |
Merge pull request #22634 from Ekleog/dhparams
dhparams module: initialize
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/dhparams.nix | 90 |
2 files changed, 91 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 6dc82f604333..8ec985acae3b 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -106,6 +106,7 @@ ./security/audit.nix ./security/ca.nix ./security/chromium-suid-sandbox.nix + ./security/dhparams.nix ./security/duosec.nix ./security/grsecurity.nix ./security/hidepid.nix diff --git a/nixos/modules/security/dhparams.nix b/nixos/modules/security/dhparams.nix new file mode 100644 index 000000000000..c16cd2fafef4 --- /dev/null +++ b/nixos/modules/security/dhparams.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.security.dhparams; +in +{ + options = { + security.dhparams = { + params = mkOption { + description = + '' + Diffie-Hellman parameters to generate. + + The value is the size (in bits) of the DH params to generate. The + generated DH params path can be found in + <filename><replaceable>security.dhparams.path</replaceable>/<replaceable>name</replaceable>.pem</filename>. + + Note: The name of the DH params is taken as being the name of the + service it serves: the params will be generated before the said + service is started. + ''; + type = with types; attrsOf int; + default = {}; + example = { nginx = 3072; }; + }; + + path = mkOption { + description = + '' + Path to the directory in which Diffie-Hellman parameters will be + stored. + ''; + type = types.str; + default = "/var/lib/dhparams"; + }; + }; + }; + + config.systemd.services = { + dhparams-init = { + description = "Cleanup old Diffie-Hellman parameters"; + wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set + serviceConfig.Type = "oneshot"; + script = + # Create directory + '' + if [ ! -d ${cfg.path} ]; then + mkdir -p ${cfg.path} + fi + '' + + # Remove old dhparams + '' + for file in ${cfg.path}/*; do + if [ ! -f "$file" ]; then + continue + fi + '' + concatStrings (mapAttrsToList (name: value: + '' + if [ "$file" == "${cfg.path}/${name}.pem" ] && \ + ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then + continue + fi + '' + ) cfg.params) + + '' + rm $file + done + + # TODO: Ideally this would be removing the *former* cfg.path, though this + # does not seem really important + rmdir -p --ignore-fail-on-non-empty ${cfg.path} + ''; + }; + } // + mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" { + description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet"; + after = [ "dhparams-init.service" ]; + before = [ "${name}.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + script = + '' + mkdir -p ${cfg.path} + if [ ! -f ${cfg.path}/${name}.pem ]; then + ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value} + fi + ''; + }) cfg.params; +} |