nixos: Add release notes about dhparams changes

This is not only to make users aware of the changes but also to give a
heads up to developers which are using the module. Specifically if they
rely on security.dhparams.path only.

Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
aszlig 2018-05-07 05:02:41 +02:00
parent 81fc2c3509
commit a8b7372380
No known key found for this signature in database
GPG Key ID: 684089CE67EBB691
1 changed files with 50 additions and 0 deletions

View File

@ -77,7 +77,57 @@ following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>
The module for <option>security.dhparams</option> has two new options
now:
</para>
<variablelist>
<varlistentry>
<term><option>security.dhparams.stateless</option></term>
<listitem><para>
Puts the generated Diffie-Hellman parameters into the Nix store
instead of managing them in a stateful manner in
<filename class="directory">/var/lib/dhparams</filename>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>security.dhparams.defaultBitSize</option></term>
<listitem><para>
The default bit size to use for the generated Diffie-Hellman
parameters.
</para></listitem>
</varlistentry>
</variablelist>
<note><para>
The path to the actual generated parameter files should now be queried
using
<literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>
because it might be either in the Nix store or in a directory configured
by <option>security.dhparams.path</option>.
</para></note>
<note>
<title>For developers:</title>
<para>
Module implementers should not set a specific bit size in order to let
users configure it by themselves if they want to have a different bit
size than the default (2048).
</para>
<para>
An example usage of this would be:
<programlisting>
{ config, ... }:
{
security.dhparams.params.myservice = {};
environment.etc."myservice.conf".text = ''
dhparams = ${config.security.dhparams.params.myservice.path}
'';
}
</programlisting>
</para>
</note>
</listitem>
</itemizedlist>