diff options
author | aszlig <aszlig@nix.build> | 2018-04-26 06:19:48 +0200 |
---|---|---|
committer | aszlig <aszlig@nix.build> | 2018-04-26 08:04:48 +0200 |
commit | 761266bd18cf1117a11d2fd6168259f7fe867122 (patch) | |
tree | b3d419e6d5450cb915475c81c2bca654ec493407 /nixos/tests/dhparams.nix | |
parent | 4de774a63bef6d97246641212d8c38cc34ff6665 (diff) | |
download | nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar.gz nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar.bz2 nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar.lz nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar.xz nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.tar.zst nixlib-761266bd18cf1117a11d2fd6168259f7fe867122.zip |
nixos/dhparams: Turn params into a submodule
We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
Diffstat (limited to 'nixos/tests/dhparams.nix')
-rw-r--r-- | nixos/tests/dhparams.nix | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/nixos/tests/dhparams.nix b/nixos/tests/dhparams.nix index 36079b990975..ead5f2efce7c 100644 --- a/nixos/tests/dhparams.nix +++ b/nixos/tests/dhparams.nix @@ -9,8 +9,13 @@ in import ./make-test.nix { nodes.generation1 = { pkgs, config, ... }: { imports = [ common ]; - security.dhparams.params.foo = 16; - security.dhparams.params.bar = 17; + security.dhparams.params = { + # Use low values here because we don't want the test to run for ages. + foo.bits = 16; + # Also use the old format to make sure the type is coerced in the right + # way. + bar = 17; + }; systemd.services.foo = { description = "Check systemd Ordering"; @@ -22,7 +27,7 @@ in import ./make-test.nix { DefaultDependencies = false; # We check later whether the service has been started or not. - ConditionPathExists = "${config.security.dhparams.path}/foo.pem"; + ConditionPathExists = config.security.dhparams.params.foo.path; }; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; @@ -37,7 +42,7 @@ in import ./make-test.nix { nodes.generation2 = { imports = [ common ]; - security.dhparams.params.foo = 18; + security.dhparams.params.foo.bits = 18; }; nodes.generation3 = common; @@ -45,8 +50,7 @@ in import ./make-test.nix { testScript = { nodes, ... }: let getParamPath = gen: name: let node = "generation${toString gen}"; - inherit (nodes.${node}.config.security.dhparams) path; - in "${path}/${name}.pem"; + in nodes.${node}.config.security.dhparams.params.${name}.path; assertParamBits = gen: name: bits: let path = getParamPath gen name; |