···
Note: The name of the DH params is taken as being the name of the
service it serves: the params will be generated before the said
+
Warning: If you are removing all dhparams from this list, you have
+
to leave security.dhparams.enable for at least one activation in
+
order to have them be cleaned up. This also means if you rollback to
+
a version without any dhparams the existing ones won't be cleaned
type = with types; attrsOf int;
···
default = "/var/lib/dhparams";
+
Whether to generate new DH params and clean up old DH params.
+
config = mkIf cfg.enable {
+
description = "Cleanup old Diffie-Hellman parameters";
+
wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
+
serviceConfig.Type = "oneshot";
+
if [ ! -d ${cfg.path} ]; then
+
for file in ${cfg.path}/*; do
+
if [ ! -f "$file" ]; then
+
'' + concatStrings (mapAttrsToList (name: value:
+
if [ "$file" == "${cfg.path}/${name}.pem" ] && \
+
${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
+
# TODO: Ideally this would be removing the *former* cfg.path, though this
+
# does not seem really important as changes to it are quite unlikely
+
rmdir --ignore-fail-on-non-empty ${cfg.path}
+
mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
+
description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
+
after = [ "dhparams-init.service" ];
+
before = [ "${name}.service" ];
+
wantedBy = [ "multi-user.target" ];
+
serviceConfig.Type = "oneshot";
+
if [ ! -f ${cfg.path}/${name}.pem ]; then
+
${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
pyrox.dev