nixpkgs-suyu/nixos/modules/security/dhparams.nix
2017-02-18 00:07:03 +01:00

90 lines
2.7 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.dhparams;
in
{
options = {
security.dhparams = {
params = mkOption {
description =
''
Diffie-Hellman parameters to generate.
The value is the size (in bits) of the DH params to generate. The
generated DH params path can be found in
<filename><replaceable>security.dhparams.path</replaceable>/<replaceable>name</replaceable>.pem</filename>.
Note: The name of the DH params is taken as being the name of the
service it serves: the params will be generated before the said
service is started.
'';
type = with types; attrsOf int;
default = {};
example = { nginx = 3072; };
};
path = mkOption {
description =
''
Path to the directory in which Diffie-Hellman parameters will be
stored.
'';
type = types.str;
default = "/var/lib/dhparams";
};
};
};
config.systemd.services = {
dhparams-init = {
description = "Cleanup old Diffie-Hellman parameters";
wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
serviceConfig.Type = "oneshot";
script =
# Create directory
''
if [ ! -d ${cfg.path} ]; then
mkdir -p ${cfg.path}
fi
'' +
# Remove old dhparams
''
for file in ${cfg.path}/*; do
if [ ! -f "$file" ]; then
continue
fi
'' + concatStrings (mapAttrsToList (name: value:
''
if [ "$file" == "${cfg.path}/${name}.pem" ] && \
${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
continue
fi
''
) cfg.params) +
''
rm $file
done
# TODO: Ideally this would be removing the *former* cfg.path, though this
# does not seem really important
rmdir -p --ignore-fail-on-non-empty ${cfg.path}
'';
};
} //
mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
after = [ "dhparams-init.service" ];
before = [ "${name}.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script =
''
mkdir -p ${cfg.path}
if [ ! -f ${cfg.path}/${name}.pem ]; then
${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
fi
'';
}) cfg.params;
}