···
Note: The name of the DH params is taken as being the name of the
service it serves: the params will be generated before the said
23
+
Warning: If you are removing all dhparams from this list, you have
24
+
to leave security.dhparams.enable for at least one activation in
25
+
order to have them be cleaned up. This also means if you rollback to
26
+
a version without any dhparams the existing ones won't be cleaned
type = with types; attrsOf int;
···
default = "/var/lib/dhparams";
47
+
Whether to generate new DH params and clean up old DH params.
40
-
config.systemd.services = {
42
-
description = "Cleanup old Diffie-Hellman parameters";
43
-
wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
44
-
serviceConfig.Type = "oneshot";
48
-
if [ ! -d ${cfg.path} ]; then
55
+
config = mkIf cfg.enable {
56
+
systemd.services = {
58
+
description = "Cleanup old Diffie-Hellman parameters";
59
+
wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
60
+
serviceConfig.Type = "oneshot";
64
+
if [ ! -d ${cfg.path} ]; then
65
+
mkdir -p ${cfg.path}
68
+
# Remove old dhparams
70
+
for file in ${cfg.path}/*; do
71
+
if [ ! -f "$file" ]; then
74
+
'' + concatStrings (mapAttrsToList (name: value:
76
+
if [ "$file" == "${cfg.path}/${name}.pem" ] && \
77
+
${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
86
+
# TODO: Ideally this would be removing the *former* cfg.path, though this
87
+
# does not seem really important as changes to it are quite unlikely
88
+
rmdir --ignore-fail-on-non-empty ${cfg.path}
92
+
mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
93
+
description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
94
+
after = [ "dhparams-init.service" ];
95
+
before = [ "${name}.service" ];
96
+
wantedBy = [ "multi-user.target" ];
97
+
serviceConfig.Type = "oneshot";
52
-
# Remove old dhparams
54
-
for file in ${cfg.path}/*; do
55
-
if [ ! -f "$file" ]; then
58
-
'' + concatStrings (mapAttrsToList (name: value:
60
-
if [ "$file" == "${cfg.path}/${name}.pem" ] && \
61
-
${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
101
+
if [ ! -f ${cfg.path}/${name}.pem ]; then
102
+
${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
70
-
# TODO: Ideally this would be removing the *former* cfg.path, though this
71
-
# does not seem really important
72
-
rmdir -p --ignore-fail-on-non-empty ${cfg.path}
76
-
mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
77
-
description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
78
-
after = [ "dhparams-init.service" ];
79
-
before = [ "${name}.service" ];
80
-
wantedBy = [ "multi-user.target" ];
81
-
serviceConfig.Type = "oneshot";
84
-
mkdir -p ${cfg.path}
85
-
if [ ! -f ${cfg.path}/${name}.pem ]; then
86
-
${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
pyrox.dev