1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-12 07:34:36 +00:00

nixos/dhparams: Add a defaultBitSize option

This allows to set the default bit size for all the Diffie-Hellman
parameters defined in security.dhparams.params and it's particularly
useful so that we can set it to a very low value in tests (so it doesn't
take ages to generate).

Regardless for the use in testing, this also has an impact in production
systems if the owner wants to set all of them to a different size than
2048, they don't need to set it individually for every params that are
set.

I've added a subtest to the "dhparams" NixOS test to ensure this is
working properly.

Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
aszlig 2018-05-07 04:33:56 +02:00
parent b3d5ca8359
commit 81fc2c3509
No known key found for this signature in database
GPG key ID: 684089CE67EBB691
2 changed files with 36 additions and 5 deletions

View file

@ -4,13 +4,15 @@ let
inherit (lib) mkOption types; inherit (lib) mkOption types;
cfg = config.security.dhparams; cfg = config.security.dhparams;
paramsSubmodule = { name, config, ... }: { bitType = types.addCheck types.int (b: b >= 16) // {
options.bits = mkOption {
type = types.addCheck types.int (b: b >= 16) // {
name = "bits"; name = "bits";
description = "integer of at least 16 bits"; description = "integer of at least 16 bits";
}; };
default = 2048;
paramsSubmodule = { name, config, ... }: {
options.bits = mkOption {
type = bitType;
default = cfg.defaultBitSize;
description = '' description = ''
The bit size for the prime that is used during a Diffie-Hellman The bit size for the prime that is used during a Diffie-Hellman
key exchange. key exchange.
@ -70,6 +72,11 @@ in {
existing ones won't be cleaned up. Of course this only applies if existing ones won't be cleaned up. Of course this only applies if
<option>security.dhparams.stateful</option> is <option>security.dhparams.stateful</option> is
<literal>true</literal>.</para></warning> <literal>true</literal>.</para></warning>
<note><title>For module implementers:</title><para>It's recommended
to not set a specific bit size here, so that users can easily
override this by setting
<option>security.dhparams.defaultBitSize</option>.</para></note>
''; '';
}; };
@ -89,6 +96,16 @@ in {
''; '';
}; };
defaultBitSize = mkOption {
type = bitType;
default = 2048;
description = ''
This allows to override the default bit size for all of the
Diffie-Hellman parameters set in
<option>security.dhparams.params</option>.
'';
};
path = mkOption { path = mkOption {
type = types.str; type = types.str;
default = "/var/lib/dhparams"; default = "/var/lib/dhparams";

View file

@ -54,6 +54,13 @@ in import ./make-test.nix {
security.dhparams.params.bar2.bits = 19; security.dhparams.params.bar2.bits = 19;
}; };
nodes.generation5 = {
imports = [ common ];
security.dhparams.defaultBitSize = 30;
security.dhparams.params.foo3 = {};
security.dhparams.params.bar3 = {};
};
testScript = { nodes, ... }: let testScript = { nodes, ... }: let
getParamPath = gen: name: let getParamPath = gen: name: let
node = "generation${toString gen}"; node = "generation${toString gen}";
@ -126,5 +133,12 @@ in import ./make-test.nix {
'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}', 'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}',
); );
}; };
${switchToGeneration 5}
subtest "check whether defaultBitSize works as intended", sub {
${assertParamBits 5 "foo3" 30}
${assertParamBits 5 "bar3" 30}
};
''; '';
} }