public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/security/dhparams.nix

176 lines
6.0 KiB
Nix
Raw Normal View History

dhparams module: initialize
2017-02-10 18:36:36 +01:00
{ config, lib, pkgs, ... }:
let
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
inherit (lib) mkOption types;
dhparams module: initialize
2017-02-10 18:36:36 +01:00
cfg = config.security.dhparams;
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 06:19:48 +02:00
nixos/dhparams: Add a defaultBitSize option This allows to set the default bit size for all the Diffie-Hellman parameters defined in security.dhparams.params and it's particularly useful so that we can set it to a very low value in tests (so it doesn't take ages to generate). Regardless for the use in testing, this also has an impact in production systems if the owner wants to set all of them to a different size than 2048, they don't need to set it individually for every params that are set. I've added a subtest to the "dhparams" NixOS test to ensure this is working properly. Signed-off-by: aszlig <aszlig@nix.build>
2018-05-07 04:33:56 +02:00
bitType = types.addCheck types.int (b: b >= 16) // {
name = "bits";
description = "integer of at least 16 bits";
};
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 06:19:48 +02:00
paramsSubmodule = { name, config, ... }: {
options.bits = mkOption {
nixos/dhparams: Add a defaultBitSize option This allows to set the default bit size for all the Diffie-Hellman parameters defined in security.dhparams.params and it's particularly useful so that we can set it to a very low value in tests (so it doesn't take ages to generate). Regardless for the use in testing, this also has an impact in production systems if the owner wants to set all of them to a different size than 2048, they don't need to set it individually for every params that are set. I've added a subtest to the "dhparams" NixOS test to ensure this is working properly. Signed-off-by: aszlig <aszlig@nix.build>
2018-05-07 04:33:56 +02:00
type = bitType;
default = cfg.defaultBitSize;
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 06:19:48 +02:00
description = ''
The bit size for the prime that is used during a Diffie-Hellman
key exchange.
'';
};
options.path = mkOption {
type = types.path;
readOnly = true;
description = ''
The resulting path of the generated Diffie-Hellman parameters
file for other services to reference. This could be either a
store path or a file inside the directory specified by
<option>security.dhparams.path</option>.
'';
};
nixos/dhparams: Introduce a 'stateful' option This option allows us to turn off stateful generation of Diffie-Hellman parameters, which in some way is still stateful as the generated DH params file is non-deterministic. However what we can avoid with this is to have an increased surface for failures during system startup, because generation of the parameters is done during build-time. Another advantage of this is that we no longer need to take care of cleaning up the files that are no longer used and in my humble opinion I would have preferred that #11505 (which puts the dhparams in the Nix store) would have been merged instead of #22634 (which we have now). Luckily we can still change that and this change gives the user the option to put the dhparams into the Nix store. Beside of the more obvious advantages pointed out here, this also effects test runtime if more services are starting to use this (for example see #39507 and #39288), because generating DH params could take a long time depending on the bit size which adds up to test runtime. If we generate the DH params in a separate derivation, subsequent test runs won't need to wait for DH params generation during bootup. Of course, tests could still mock this by force-disabling the service and adding a service or activation script that places pre-generated DH params in /var/lib/dhparams but this would make tests less readable and the workaround would have to be made for each test affected. Note that the 'stateful' option is still true by default so that we are backwards-compatible with existing systems. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog, @abbradar, @fpletz
2018-04-26 06:38:02 +02:00
config.path = let
generated = pkgs.runCommand "dhparams-${name}.pem" {
nativeBuildInputs = [ pkgs.openssl ];
} "openssl dhparam -out \"$out\" ${toString config.bits}";
in if cfg.stateful then "${cfg.path}/${name}.pem" else generated;
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 06:19:48 +02:00
};
in {
dhparams module: initialize
2017-02-10 18:36:36 +01:00
options = {
security.dhparams = {
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to generate new DH params and clean up old DH params.
'';
};
dhparams module: initialize
2017-02-10 18:36:36 +01:00
params = mkOption {
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 06:19:48 +02:00
type = with types; let
coerce = bits: { inherit bits; };
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
in attrsOf (coercedTo int coerce (submodule paramsSubmodule));
dhparams module: initialize
2017-02-10 18:36:36 +01:00
default = {};
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
example = lib.literalExample "{ nginx.bits = 3072; }";
description = ''
Diffie-Hellman parameters to generate.
The value is the size (in bits) of the DH params to generate. The
generated DH params path can be found in
<literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>.
<note><para>The name of the DH params is taken as being the name of
the service it serves and the params will be generated before the
said service is started.</para></note>
<warning><para>If you are removing all dhparams from this list, you
have to leave <option>security.dhparams.enable</option> for at
least one activation in order to have them be cleaned up. This also
means if you rollback to a version without any dhparams the
existing ones won't be cleaned up. Of course this only applies if
<option>security.dhparams.stateful</option> is
<literal>true</literal>.</para></warning>
nixos/dhparams: Add a defaultBitSize option This allows to set the default bit size for all the Diffie-Hellman parameters defined in security.dhparams.params and it's particularly useful so that we can set it to a very low value in tests (so it doesn't take ages to generate). Regardless for the use in testing, this also has an impact in production systems if the owner wants to set all of them to a different size than 2048, they don't need to set it individually for every params that are set. I've added a subtest to the "dhparams" NixOS test to ensure this is working properly. Signed-off-by: aszlig <aszlig@nix.build>
2018-05-07 04:33:56 +02:00
<note><title>For module implementers:</title><para>It's recommended
to not set a specific bit size here, so that users can easily
override this by setting
<option>security.dhparams.defaultBitSize</option>.</para></note>
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
'';
dhparams module: initialize
2017-02-10 18:36:36 +01:00
};
nixos/dhparams: Introduce a 'stateful' option This option allows us to turn off stateful generation of Diffie-Hellman parameters, which in some way is still stateful as the generated DH params file is non-deterministic. However what we can avoid with this is to have an increased surface for failures during system startup, because generation of the parameters is done during build-time. Another advantage of this is that we no longer need to take care of cleaning up the files that are no longer used and in my humble opinion I would have preferred that #11505 (which puts the dhparams in the Nix store) would have been merged instead of #22634 (which we have now). Luckily we can still change that and this change gives the user the option to put the dhparams into the Nix store. Beside of the more obvious advantages pointed out here, this also effects test runtime if more services are starting to use this (for example see #39507 and #39288), because generating DH params could take a long time depending on the bit size which adds up to test runtime. If we generate the DH params in a separate derivation, subsequent test runs won't need to wait for DH params generation during bootup. Of course, tests could still mock this by force-disabling the service and adding a service or activation script that places pre-generated DH params in /var/lib/dhparams but this would make tests less readable and the workaround would have to be made for each test affected. Note that the 'stateful' option is still true by default so that we are backwards-compatible with existing systems. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog, @abbradar, @fpletz
2018-04-26 06:38:02 +02:00
stateful = mkOption {
type = types.bool;
default = true;
description = ''
Whether generation of Diffie-Hellman parameters should be stateful or
not. If this is enabled, PEM-encoded files for Diffie-Hellman
parameters are placed in the directory specified by
<option>security.dhparams.path</option>. Otherwise the files are
created within the Nix store.
<note><para>If this is <literal>false</literal> the resulting store
path will be non-deterministic and will be rebuilt every time the
<package>openssl</package> package changes.</para></note>
'';
};
nixos/dhparams: Add a defaultBitSize option This allows to set the default bit size for all the Diffie-Hellman parameters defined in security.dhparams.params and it's particularly useful so that we can set it to a very low value in tests (so it doesn't take ages to generate). Regardless for the use in testing, this also has an impact in production systems if the owner wants to set all of them to a different size than 2048, they don't need to set it individually for every params that are set. I've added a subtest to the "dhparams" NixOS test to ensure this is working properly. Signed-off-by: aszlig <aszlig@nix.build>
2018-05-07 04:33:56 +02:00
defaultBitSize = mkOption {
type = bitType;
default = 2048;
description = ''
This allows to override the default bit size for all of the
Diffie-Hellman parameters set in
<option>security.dhparams.params</option>.
'';
};
dhparams module: initialize
2017-02-10 18:36:36 +01:00
path = mkOption {
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
type = types.str;
default = "/var/lib/dhparams";
nixos/dhparams: Introduce a 'stateful' option This option allows us to turn off stateful generation of Diffie-Hellman parameters, which in some way is still stateful as the generated DH params file is non-deterministic. However what we can avoid with this is to have an increased surface for failures during system startup, because generation of the parameters is done during build-time. Another advantage of this is that we no longer need to take care of cleaning up the files that are no longer used and in my humble opinion I would have preferred that #11505 (which puts the dhparams in the Nix store) would have been merged instead of #22634 (which we have now). Luckily we can still change that and this change gives the user the option to put the dhparams into the Nix store. Beside of the more obvious advantages pointed out here, this also effects test runtime if more services are starting to use this (for example see #39507 and #39288), because generating DH params could take a long time depending on the bit size which adds up to test runtime. If we generate the DH params in a separate derivation, subsequent test runs won't need to wait for DH params generation during bootup. Of course, tests could still mock this by force-disabling the service and adding a service or activation script that places pre-generated DH params in /var/lib/dhparams but this would make tests less readable and the workaround would have to be made for each test affected. Note that the 'stateful' option is still true by default so that we are backwards-compatible with existing systems. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog, @abbradar, @fpletz
2018-04-26 06:38:02 +02:00
description = ''
Path to the directory in which Diffie-Hellman parameters will be
stored. This only is relevant if
<option>security.dhparams.stateful</option> is
<literal>true</literal>.
'';
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00
};
dhparams module: initialize
2017-02-10 18:36:36 +01:00
};
};
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
config = lib.mkIf (cfg.enable && cfg.stateful) {
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00
systemd.services = {
dhparams-init = {
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
description = "Clean Up Old Diffie-Hellman Parameters";
# Clean up even when no DH params is set
wantedBy = [ "multi-user.target" ];
serviceConfig.RemainAfterExit = true;
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00
serviceConfig.Type = "oneshot";
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
script = ''
if [ ! -d ${cfg.path} ]; then
mkdir -p ${cfg.path}
fi
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00
# Remove old dhparams
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
for file in ${cfg.path}/*; do
if [ ! -f "$file" ]; then
continue
fi
${lib.concatStrings (lib.mapAttrsToList (name: { bits, path, ... }: ''
if [ "$file" = ${lib.escapeShellArg path} ] && \
${pkgs.openssl}/bin/openssl dhparam -in "$file" -text \
| head -n 1 | grep "(${toString bits} bit)" > /dev/null; then
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00
continue
fi
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
'') cfg.params)}
rm $file
done
# TODO: Ideally this would be removing the *former* cfg.path, though
# this does not seem really important as changes to it are quite
# unlikely
rmdir --ignore-fail-on-non-empty ${cfg.path}
'';
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00
};
nixos/dhparams: Clean up module expression First of all let's start with a clean up the multiline string indentation for descriptions, because having two indentation levels after description is a waste of screen estate. A quick survey in the form of the following also reveals that the majority of multiline strings in nixpkgs is starting the two beginning quotes in the same line: $ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l 817 $ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l 14818 The next point is to get the type, default and example attributes on top of the description because that's the way it's rendered in the manual. Most services have their enable option close to the beginning of the file, so let's move it to the top. Also, I found the script attribute for dhparams-init.service a bit hard to read as it was using string concatenation to split a "for" loop. Now for the more substantial clean ups rather than just code style: * Remove the "with lib;" at the beginning of the module, because it makes it easier to do a quick check with "nix-instantiate --parse". * Use ConditionPathExists instead of test -e for checking whether we need to generate the dhparams file. This avoids spawning a shell if the file exists already and it's probably more common that it will exist, except for the initial creation of course. * When cleaning up old dhparams file, use RemainAfterExit so that the unit won't be triggered again whenever we stop and start a service depending on it. * Capitalize systemd unit descriptions to be more in par with most other unit descriptions (also see 0c5e837b66f58265ce2b66a33d0f47a3). * Use "=" instead of "==" for conditionals using []. It's just a very small nitpick though and it will only fail for POSIX shells. Bash on the other side accepts it anyway. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
2018-04-26 07:11:54 +02:00
} // lib.mapAttrs' (name: { bits, path, ... }: lib.nameValuePair "dhparams-gen-${name}" {
description = "Generate Diffie-Hellman Parameters for ${name}";
after = [ "dhparams-init.service" ];
before = [ "${name}.service" ];
wantedBy = [ "multi-user.target" ];
unitConfig.ConditionPathExists = "!${path}";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p ${lib.escapeShellArg cfg.path}
${pkgs.openssl}/bin/openssl dhparam -out ${lib.escapeShellArg path} \
${toString bits}
'';
}) cfg.params;
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00
};
dhparams module: add self as maintainer
2018-10-31 01:05:35 +09:00
meta.maintainers = with lib.maintainers; [ ekleog ];
dhparams module: initialize
2017-02-10 18:36:36 +01:00
}
Reference in New Issue Copy Permalink