diff options
| author | aszlig <aszlig@nix.build> | 2018-05-07 04:33:56 +0200 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2018-05-07 04:58:52 +0200 |
| commit | 81fc2c35097f81ecb29a576148486cc1ce5a5bcc (patch) | |
| tree | 07c662457105fe5662f71d73bf6f64cda392b2d3 | |
| parent | b3d5ca8359d3fac0f21ccece79c202557a9433b5 (diff) | |
| download | nixpkgs-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar nixpkgs-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar.gz nixpkgs-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar.bz2 nixpkgs-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar.lz nixpkgs-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar.xz nixpkgs-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.tar.zst nixpkgs-81fc2c35097f81ecb29a576148486cc1ce5a5bcc.zip | |
nixos/dhparams: Add a defaultBitSize option
This allows to set the default bit size for all the Diffie-Hellman parameters defined in security.dhparams.params and it's particularly useful so that we can set it to a very low value in tests (so it doesn't take ages to generate). Regardless for the use in testing, this also has an impact in production systems if the owner wants to set all of them to a different size than 2048, they don't need to set it individually for every params that are set. I've added a subtest to the "dhparams" NixOS test to ensure this is working properly. Signed-off-by: aszlig <aszlig@nix.build>
| -rw-r--r-- | nixos/modules/security/dhparams.nix | 27 | ||||
| -rw-r--r-- | nixos/tests/dhparams.nix | 14 |
2 files changed, 36 insertions, 5 deletions
diff --git a/nixos/modules/security/dhparams.nix b/nixos/modules/security/dhparams.nix index beac125fc6e..e2b84c3e3b3 100644 --- a/nixos/modules/security/dhparams.nix +++ b/nixos/modules/security/dhparams.nix @@ -4,13 +4,15 @@ let inherit (lib) mkOption types; cfg = config.security.dhparams; + bitType = types.addCheck types.int (b: b >= 16) // { + name = "bits"; + description = "integer of at least 16 bits"; + }; + paramsSubmodule = { name, config, ... }: { options.bits = mkOption { - type = types.addCheck types.int (b: b >= 16) // { - name = "bits"; - description = "integer of at least 16 bits"; - }; - default = 2048; + type = bitType; + default = cfg.defaultBitSize; description = '' The bit size for the prime that is used during a Diffie-Hellman key exchange. @@ -70,6 +72,11 @@ in { existing ones won't be cleaned up. Of course this only applies if <option>security.dhparams.stateful</option> is <literal>true</literal>.</para></warning> + + <note><title>For module implementers:</title><para>It's recommended + to not set a specific bit size here, so that users can easily + override this by setting + <option>security.dhparams.defaultBitSize</option>.</para></note> ''; }; @@ -89,6 +96,16 @@ in { ''; }; + defaultBitSize = mkOption { + type = bitType; + default = 2048; + description = '' + This allows to override the default bit size for all of the + Diffie-Hellman parameters set in + <option>security.dhparams.params</option>. + ''; + }; + path = mkOption { type = types.str; default = "/var/lib/dhparams"; diff --git a/nixos/tests/dhparams.nix b/nixos/tests/dhparams.nix index da75391e4ce..d11dfeec5d0 100644 --- a/nixos/tests/dhparams.nix +++ b/nixos/tests/dhparams.nix @@ -54,6 +54,13 @@ in import ./make-test.nix { security.dhparams.params.bar2.bits = 19; }; + nodes.generation5 = { + imports = [ common ]; + security.dhparams.defaultBitSize = 30; + security.dhparams.params.foo3 = {}; + security.dhparams.params.bar3 = {}; + }; + testScript = { nodes, ... }: let getParamPath = gen: name: let node = "generation${toString gen}"; @@ -126,5 +133,12 @@ in import ./make-test.nix { 'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}', ); }; + + ${switchToGeneration 5} + + subtest "check whether defaultBitSize works as intended", sub { + ${assertParamBits 5 "foo3" 30} + ${assertParamBits 5 "bar3" 30} + }; ''; } |