dhparams module: condition on enable option (#23661)

Hence, the init/cleanup service only runs when the dhparams module is enabled.

nixos/modules/security/dhparams.nix

@@ -19,6 +19,12 @@ in
             Note: The name of the DH params is taken as being the name of the
             service it serves: the params will be generated before the said
             service is started.
+
+            Warning: If you are removing all dhparams from this list, you have
+            to leave security.dhparams.enable for at least one activation in
+            order to have them be cleaned up. This also means if you rollback to
+            a version without any dhparams the existing ones won't be cleaned
+            up.
           '';
         type = with types; attrsOf int;
         default = {};
@@ -34,10 +40,20 @@ in
         type = types.str;
         default = "/var/lib/dhparams";
       };
+
+      enable = mkOption {
+        description =
+          ''
+            Whether to generate new DH params and clean up old DH params.
+          '';
+        default = false;
+        type = types.bool;
+      };
     };
   };
 
-  config.systemd.services = {
+  config = mkIf cfg.enable {
+    systemd.services = {
       dhparams-init = {
         description = "Cleanup old Diffie-Hellman parameters";
         wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
@@ -68,8 +84,8 @@ in
             done
 
             # TODO: Ideally this would be removing the *former* cfg.path, though this
-          # does not seem really important
+            # does not seem really important as changes to it are quite unlikely
-          rmdir -p --ignore-fail-on-non-empty ${cfg.path}
+            rmdir --ignore-fail-on-non-empty ${cfg.path}
           '';
       };
     } //
@@ -87,4 +103,5 @@ in
             fi
           '';
       }) cfg.params;
+  };
 }