diff options
Diffstat (limited to 'nixos/modules/security/dhparams.nix')
-rw-r--r-- | nixos/modules/security/dhparams.nix | 113 |
1 files changed, 65 insertions, 48 deletions
diff --git a/nixos/modules/security/dhparams.nix b/nixos/modules/security/dhparams.nix index c16cd2fafef41..55c75713101d3 100644 --- a/nixos/modules/security/dhparams.nix +++ b/nixos/modules/security/dhparams.nix @@ -19,6 +19,12 @@ in Note: The name of the DH params is taken as being the name of the service it serves: the params will be generated before the said service is started. + + Warning: If you are removing all dhparams from this list, you have + to leave security.dhparams.enable for at least one activation in + order to have them be cleaned up. This also means if you rollback to + a version without any dhparams the existing ones won't be cleaned + up. ''; type = with types; attrsOf int; default = {}; @@ -34,57 +40,68 @@ in type = types.str; default = "/var/lib/dhparams"; }; + + enable = mkOption { + description = + '' + Whether to generate new DH params and clean up old DH params. + ''; + default = false; + type = types.bool; + }; }; }; - config.systemd.services = { - dhparams-init = { - description = "Cleanup old Diffie-Hellman parameters"; - wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set - serviceConfig.Type = "oneshot"; - script = - # Create directory - '' - if [ ! -d ${cfg.path} ]; then - mkdir -p ${cfg.path} - fi - '' + - # Remove old dhparams - '' - for file in ${cfg.path}/*; do - if [ ! -f "$file" ]; then - continue - fi - '' + concatStrings (mapAttrsToList (name: value: - '' - if [ "$file" == "${cfg.path}/${name}.pem" ] && \ - ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then - continue + config = mkIf cfg.enable { + systemd.services = { + dhparams-init = { + description = "Cleanup old Diffie-Hellman parameters"; + wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set + serviceConfig.Type = "oneshot"; + script = + # Create directory + '' + if [ ! -d ${cfg.path} ]; then + mkdir -p ${cfg.path} fi - '' - ) cfg.params) + - '' - rm $file - done + '' + + # Remove old dhparams + '' + for file in ${cfg.path}/*; do + if [ ! -f "$file" ]; then + continue + fi + '' + concatStrings (mapAttrsToList (name: value: + '' + if [ "$file" == "${cfg.path}/${name}.pem" ] && \ + ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then + continue + fi + '' + ) cfg.params) + + '' + rm $file + done - # TODO: Ideally this would be removing the *former* cfg.path, though this - # does not seem really important - rmdir -p --ignore-fail-on-non-empty ${cfg.path} - ''; - }; - } // - mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" { - description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet"; - after = [ "dhparams-init.service" ]; - before = [ "${name}.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.Type = "oneshot"; - script = - '' - mkdir -p ${cfg.path} - if [ ! -f ${cfg.path}/${name}.pem ]; then - ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value} - fi - ''; - }) cfg.params; + # TODO: Ideally this would be removing the *former* cfg.path, though this + # does not seem really important as changes to it are quite unlikely + rmdir --ignore-fail-on-non-empty ${cfg.path} + ''; + }; + } // + mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" { + description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet"; + after = [ "dhparams-init.service" ]; + before = [ "${name}.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + script = + '' + mkdir -p ${cfg.path} + if [ ! -f ${cfg.path}/${name}.pem ]; then + ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value} + fi + ''; + }) cfg.params; + }; } |