nixpkgs/nixos/modules/security/dhparams.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.security.dhparams;

  paramsSubmodule = { name, config, ... }: {
    options.bits = mkOption {
      type = types.addCheck types.int (b: b >= 16) // {
        name = "bits";
        description = "integer of at least 16 bits";
      };
      default = 4096;
      description = ''
        The bit size for the prime that is used during a Diffie-Hellman
        key exchange.
      '';
    };

    options.path = mkOption {
      type = types.path;
      readOnly = true;
      description = ''
        The resulting path of the generated Diffie-Hellman parameters
        file for other services to reference. This could be either a
        store path or a file inside the directory specified by
        <option>security.dhparams.path</option>.
      '';
    };

    config.path = "${cfg.path}/${name}.pem";
  };

in {
  options = {
    security.dhparams = {
      params = mkOption {
        description =
          ''
            Diffie-Hellman parameters to generate.

            The value is the size (in bits) of the DH params to generate. The
            generated DH params path can be found in
            <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>.

            <note><para>The name of the DH params is taken as being the name of
            the service it serves and the params will be generated before the
            said service is started.</para></note>

            <warning><para>If you are removing all dhparams from this list, you
            have to leave <option>security.dhparams.enable</option> for at
            least one activation in order to have them be cleaned up. This also
            means if you rollback to a version without any dhparams the
            existing ones won't be cleaned up.</para></warning>
          '';
        type = with types; let
          coerce = bits: { inherit bits; };
        in attrsOf (coercedTo types.int coerce (submodule paramsSubmodule));
        default = {};
        example = literalExample "{ nginx.bits = 3072; }";
      };

      path = mkOption {
        description =
          ''
            Path to the directory in which Diffie-Hellman parameters will be
            stored.
          '';
        type = types.str;
        default = "/var/lib/dhparams";
      };

      enable = mkOption {
        description =
          ''
            Whether to generate new DH params and clean up old DH params.
          '';
        default = false;
        type = types.bool;
      };
    };
  };

  config = mkIf cfg.enable {
    systemd.services = {
      dhparams-init = {
        description = "Cleanup old Diffie-Hellman parameters";
        wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
        serviceConfig.Type = "oneshot";
        script =
          # Create directory
          ''
            if [ ! -d ${cfg.path} ]; then
              mkdir -p ${cfg.path}
            fi
          '' +
          # Remove old dhparams
          ''
            for file in ${cfg.path}/*; do
              if [ ! -f "$file" ]; then
                continue
              fi
          '' + concatStrings (mapAttrsToList (name: { bits, ... }:
          ''
              if [ "$file" == "${cfg.path}/${name}.pem" ] && \
                  ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString bits} bit)" > /dev/null; then
                continue
              fi
          ''
          ) cfg.params) +
          ''
              rm $file
            done

            # TODO: Ideally this would be removing the *former* cfg.path, though this
            # does not seem really important as changes to it are quite unlikely
            rmdir --ignore-fail-on-non-empty ${cfg.path}
          '';
      };
    } //
      mapAttrs' (name: { bits, ... }: nameValuePair "dhparams-gen-${name}" {
        description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
        after = [ "dhparams-init.service" ];
        before = [ "${name}.service" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig.Type = "oneshot";
        script =
          ''
            mkdir -p ${cfg.path}
            if [ ! -f ${cfg.path}/${name}.pem ]; then
              ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString bits}
            fi
          '';
      }) cfg.params;
  };
}
dhparams module: initialize 2017-02-10 17:36:36 +00:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00
dhparams module: initialize 2017-02-10 17:36:36 +00:00			`let`
			`cfg = config.security.dhparams;`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00
			`paramsSubmodule = { name, config, ... }: {`
			`options.bits = mkOption {`
			`type = types.addCheck types.int (b: b >= 16) // {`
			`name = "bits";`
			`description = "integer of at least 16 bits";`
			`};`
			`default = 4096;`
			`description = ''`
			`The bit size for the prime that is used during a Diffie-Hellman`
			`key exchange.`
			`'';`
			`};`

			`options.path = mkOption {`
			`type = types.path;`
			`readOnly = true;`
			`description = ''`
			`The resulting path of the generated Diffie-Hellman parameters`
			`file for other services to reference. This could be either a`
			`store path or a file inside the directory specified by`
			`<option>security.dhparams.path</option>.`
			`'';`
			`};`

			`config.path = "${cfg.path}/${name}.pem";`
			`};`

			`in {`
dhparams module: initialize 2017-02-10 17:36:36 +00:00			`options = {`
			`security.dhparams = {`
			`params = mkOption {`
			`description =`
			`''`
			`Diffie-Hellman parameters to generate.`

			`The value is the size (in bits) of the DH params to generate. The`
			`generated DH params path can be found in`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00			`<literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>.`
dhparams module: initialize 2017-02-10 17:36:36 +00:00
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00			`<note><para>The name of the DH params is taken as being the name of`
			`the service it serves and the params will be generated before the`
			`said service is started.</para></note>`
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled. 2017-03-17 00:56:13 +00:00
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00			`<warning><para>If you are removing all dhparams from this list, you`
			`have to leave <option>security.dhparams.enable</option> for at`
			`least one activation in order to have them be cleaned up. This also`
			`means if you rollback to a version without any dhparams the`
			`existing ones won't be cleaned up.</para></warning>`
dhparams module: initialize 2017-02-10 17:36:36 +00:00			`'';`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00			`type = with types; let`
			`coerce = bits: { inherit bits; };`
			`in attrsOf (coercedTo types.int coerce (submodule paramsSubmodule));`
dhparams module: initialize 2017-02-10 17:36:36 +00:00			`default = {};`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00			`example = literalExample "{ nginx.bits = 3072; }";`
dhparams module: initialize 2017-02-10 17:36:36 +00:00			`};`

			`path = mkOption {`
			`description =`
			`''`
			`Path to the directory in which Diffie-Hellman parameters will be`
			`stored.`
			`'';`
			`type = types.str;`
			`default = "/var/lib/dhparams";`
			`};`
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled. 2017-03-17 00:56:13 +00:00
			`enable = mkOption {`
			`description =`
			`''`
			`Whether to generate new DH params and clean up old DH params.`
			`'';`
			`default = false;`
			`type = types.bool;`
			`};`
dhparams module: initialize 2017-02-10 17:36:36 +00:00			`};`
			`};`

dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled. 2017-03-17 00:56:13 +00:00			`config = mkIf cfg.enable {`
			`systemd.services = {`
			`dhparams-init = {`
			`description = "Cleanup old Diffie-Hellman parameters";`
			`wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set`
			`serviceConfig.Type = "oneshot";`
			`script =`
			`# Create directory`
			`''`
			`if [ ! -d ${cfg.path} ]; then`
			`mkdir -p ${cfg.path}`
dhparams module: initialize 2017-02-10 17:36:36 +00:00			`fi`
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled. 2017-03-17 00:56:13 +00:00			`'' +`
			`# Remove old dhparams`
			`''`
			`for file in ${cfg.path}/*; do`
			`if [ ! -f "$file" ]; then`
			`continue`
			`fi`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00			`'' + concatStrings (mapAttrsToList (name: { bits, ... }:`
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled. 2017-03-17 00:56:13 +00:00			`''`
			`if [ "$file" == "${cfg.path}/${name}.pem" ] && \`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00			`${pkgs.openssl}/bin/openssl dhparam -in "$file" -text \| head -n 1 \| grep "(${toString bits} bit)" > /dev/null; then`
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled. 2017-03-17 00:56:13 +00:00			`continue`
			`fi`
			`''`
			`) cfg.params) +`
			`''`
			`rm $file`
			`done`
dhparams module: initialize 2017-02-10 17:36:36 +00:00
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled. 2017-03-17 00:56:13 +00:00			`# TODO: Ideally this would be removing the former cfg.path, though this`
			`# does not seem really important as changes to it are quite unlikely`
			`rmdir --ignore-fail-on-non-empty ${cfg.path}`
			`'';`
			`};`
			`} //`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00			`mapAttrs' (name: { bits, ... }: nameValuePair "dhparams-gen-${name}" {`
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled. 2017-03-17 00:56:13 +00:00			`description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";`
			`after = [ "dhparams-init.service" ];`
			`before = [ "${name}.service" ];`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig.Type = "oneshot";`
			`script =`
			`''`
			`mkdir -p ${cfg.path}`
			`if [ ! -f ${cfg.path}/${name}.pem ]; then`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 05:19:48 +01:00			`${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString bits}`
dhparams module: condition on enable option (#23661) Hence, the init/cleanup service only runs when the dhparams module is enabled. 2017-03-17 00:56:13 +00:00			`fi`
			`'';`
			`}) cfg.params;`
			`};`
dhparams module: initialize 2017-02-10 17:36:36 +00:00			`}`