From 81fc2c35097f81ecb29a576148486cc1ce5a5bcc Mon Sep 17 00:00:00 2001 From: aszlig Date: Mon, 7 May 2018 04:33:56 +0200 Subject: [PATCH] nixos/dhparams: Add a defaultBitSize option This allows to set the default bit size for all the Diffie-Hellman parameters defined in security.dhparams.params and it's particularly useful so that we can set it to a very low value in tests (so it doesn't take ages to generate). Regardless for the use in testing, this also has an impact in production systems if the owner wants to set all of them to a different size than 2048, they don't need to set it individually for every params that are set. I've added a subtest to the "dhparams" NixOS test to ensure this is working properly. Signed-off-by: aszlig --- nixos/modules/security/dhparams.nix | 27 ++++++++++++++++++++++----- nixos/tests/dhparams.nix | 14 ++++++++++++++ 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/nixos/modules/security/dhparams.nix b/nixos/modules/security/dhparams.nix index beac125fc6e0..e2b84c3e3b38 100644 --- a/nixos/modules/security/dhparams.nix +++ b/nixos/modules/security/dhparams.nix @@ -4,13 +4,15 @@ let inherit (lib) mkOption types; cfg = config.security.dhparams; + bitType = types.addCheck types.int (b: b >= 16) // { + name = "bits"; + description = "integer of at least 16 bits"; + }; + paramsSubmodule = { name, config, ... }: { options.bits = mkOption { - type = types.addCheck types.int (b: b >= 16) // { - name = "bits"; - description = "integer of at least 16 bits"; - }; - default = 2048; + type = bitType; + default = cfg.defaultBitSize; description = '' The bit size for the prime that is used during a Diffie-Hellman key exchange. @@ -70,6 +72,11 @@ in { existing ones won't be cleaned up. Of course this only applies if is true. + + For module implementers:It's recommended + to not set a specific bit size here, so that users can easily + override this by setting + . ''; }; @@ -89,6 +96,16 @@ in { ''; }; + defaultBitSize = mkOption { + type = bitType; + default = 2048; + description = '' + This allows to override the default bit size for all of the + Diffie-Hellman parameters set in + . + ''; + }; + path = mkOption { type = types.str; default = "/var/lib/dhparams"; diff --git a/nixos/tests/dhparams.nix b/nixos/tests/dhparams.nix index da75391e4ce5..d11dfeec5d0c 100644 --- a/nixos/tests/dhparams.nix +++ b/nixos/tests/dhparams.nix @@ -54,6 +54,13 @@ in import ./make-test.nix { security.dhparams.params.bar2.bits = 19; }; + nodes.generation5 = { + imports = [ common ]; + security.dhparams.defaultBitSize = 30; + security.dhparams.params.foo3 = {}; + security.dhparams.params.bar3 = {}; + }; + testScript = { nodes, ... }: let getParamPath = gen: name: let node = "generation${toString gen}"; @@ -126,5 +133,12 @@ in import ./make-test.nix { 'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}', ); }; + + ${switchToGeneration 5} + + subtest "check whether defaultBitSize works as intended", sub { + ${assertParamBits 5 "foo3" 30} + ${assertParamBits 5 "bar3" 30} + }; ''; }