diff options
| author | aszlig <aszlig@nix.build> | 2018-05-07 04:33:56 +0200 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2018-05-07 04:58:52 +0200 |
| commit | 81fc2c35097f81ecb29a576148486cc1ce5a5bcc (patch) | |
| tree | 07c662457105fe5662f71d73bf6f64cda392b2d3 /nixos | |
| parent | b3d5ca8359d3fac0f21ccece79c202557a9433b5 (diff) | |
| download | nixlib-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar nixlib-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar.gz nixlib-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar.bz2 nixlib-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar.lz nixlib-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar.xz nixlib-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar.zst nixlib-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.zip | |
nixos/dhparams: Add a defaultBitSize option
This allows to set the default bit size for all the Diffie-Hellman parameters defined in security.dhparams.params and it's particularly useful so that we can set it to a very low value in tests (so it doesn't take ages to generate). Regardless for the use in testing, this also has an impact in production systems if the owner wants to set all of them to a different size than 2048, they don't need to set it individually for every params that are set. I've added a subtest to the "dhparams" NixOS test to ensure this is working properly. Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/security/dhparams.nix | 27 | ||||
| -rw-r--r-- | nixos/tests/dhparams.nix | 14 |
2 files changed, 36 insertions, 5 deletions
diff --git a/nixos/modules/security/dhparams.nix b/nixos/modules/security/dhparams.nix index beac125fc6e0..e2b84c3e3b38 100644 --- a/nixos/modules/security/dhparams.nix +++ b/nixos/modules/security/dhparams.nix @@ -4,13 +4,15 @@ let inherit (lib) mkOption types; cfg = config.security.dhparams; + bitType = types.addCheck types.int (b: b >= 16) // { + name = "bits"; + description = "integer of at least 16 bits"; + }; + paramsSubmodule = { name, config, ... }: { options.bits = mkOption { - type = types.addCheck types.int (b: b >= 16) // { - name = "bits"; - description = "integer of at least 16 bits"; - }; - default = 2048; + type = bitType; + default = cfg.defaultBitSize; description = '' The bit size for the prime that is used during a Diffie-Hellman key exchange. @@ -70,6 +72,11 @@ in { existing ones won't be cleaned up. Of course this only applies if <option>security.dhparams.stateful</option> is <literal>true</literal>.</para></warning> + + <note><title>For module implementers:</title><para>It's recommended + to not set a specific bit size here, so that users can easily + override this by setting + <option>security.dhparams.defaultBitSize</option>.</para></note> ''; }; @@ -89,6 +96,16 @@ in { ''; }; + defaultBitSize = mkOption { + type = bitType; + default = 2048; + description = '' + This allows to override the default bit size for all of the + Diffie-Hellman parameters set in + <option>security.dhparams.params</option>. + ''; + }; + path = mkOption { type = types.str; default = "/var/lib/dhparams"; diff --git a/nixos/tests/dhparams.nix b/nixos/tests/dhparams.nix index da75391e4ce5..d11dfeec5d0c 100644 --- a/nixos/tests/dhparams.nix +++ b/nixos/tests/dhparams.nix @@ -54,6 +54,13 @@ in import ./make-test.nix { security.dhparams.params.bar2.bits = 19; }; + nodes.generation5 = { + imports = [ common ]; + security.dhparams.defaultBitSize = 30; + security.dhparams.params.foo3 = {}; + security.dhparams.params.bar3 = {}; + }; + testScript = { nodes, ... }: let getParamPath = gen: name: let node = "generation${toString gen}"; @@ -126,5 +133,12 @@ in import ./make-test.nix { 'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}', ); }; + + ${switchToGeneration 5} + + subtest "check whether defaultBitSize works as intended", sub { + ${assertParamBits 5 "foo3" 30} + ${assertParamBits 5 "bar3" 30} + }; ''; } |