dhparams module: condition on enable option (#23661)

Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00 · 2017-03-17 01:56:13 +01:00 · 66e54f25a1
commit 66e54f25a1
parent b760bfd9f6
1 changed files with 65 additions and 48 deletions
--- a/nixos/modules/security/dhparams.nix
+++ b/nixos/modules/security/dhparams.nix
@ -19,6 +19,12 @@ in
            Note: The name of the DH params is taken as being the name of the
            service it serves: the params will be generated before the said
            service is started.
            Warning: If you are removing all dhparams from this list, you have
            to leave security.dhparams.enable for at least one activation in
            order to have them be cleaned up. This also means if you rollback to
            a version without any dhparams the existing ones won't be cleaned
            up.
          '';
        type = with types; attrsOf int;
        default = {};
@ -34,57 +40,68 @@ in
        type = types.str;
        default = "/var/lib/dhparams";
      };
      enable = mkOption {
        description =
          ''
            Whether to generate new DH params and clean up old DH params.
          '';
        default = false;
        type = types.bool;
      };
    };
  };
-  config.systemd.services = {
+  config = mkIf cfg.enable {
-    dhparams-init = {
+    systemd.services = {
-      description = "Cleanup old Diffie-Hellman parameters";
+      dhparams-init = {
-      wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
+        description = "Cleanup old Diffie-Hellman parameters";
-      serviceConfig.Type = "oneshot";
+        wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
-      script =
+        serviceConfig.Type = "oneshot";
-        # Create directory
+        script =
-        ''
+          # Create directory
-          if [ ! -d ${cfg.path} ]; then
+          ''
-            mkdir -p ${cfg.path}
+            if [ ! -d ${cfg.path} ]; then
-          fi
+              mkdir -p ${cfg.path}
        '' +
        # Remove old dhparams
        ''
          for file in ${cfg.path}/*; do
            if [ ! -f "$file" ]; then
              continue
            fi
-        '' + concatStrings (mapAttrsToList (name: value:
+          '' +
-        ''
+          # Remove old dhparams
-            if [ "$file" == "${cfg.path}/${name}.pem" ] && \
+          ''
-                ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
+            for file in ${cfg.path}/*; do
-              continue
+              if [ ! -f "$file" ]; then
-            fi
+                continue
-        ''
+              fi
-        ) cfg.params) +
+          '' + concatStrings (mapAttrsToList (name: value:
-        ''
+          ''
-            rm $file
+              if [ "$file" == "${cfg.path}/${name}.pem" ] && \
-          done
+                  ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
                continue
              fi
          ''
          ) cfg.params) +
          ''
              rm $file
            done
-          # TODO: Ideally this would be removing the *former* cfg.path, though this
+            # TODO: Ideally this would be removing the *former* cfg.path, though this
-          # does not seem really important
+            # does not seem really important as changes to it are quite unlikely
-          rmdir -p --ignore-fail-on-non-empty ${cfg.path}
+            rmdir --ignore-fail-on-non-empty ${cfg.path}
-        '';
+          '';
-    };
+      };
-  } //
+    } //
-    mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
+      mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
-      description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
+        description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
-      after = [ "dhparams-init.service" ];
+        after = [ "dhparams-init.service" ];
-      before = [ "${name}.service" ];
+        before = [ "${name}.service" ];
-      wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "multi-user.target" ];
-      serviceConfig.Type = "oneshot";
+        serviceConfig.Type = "oneshot";
-      script =
+        script =
-        ''
+          ''
-          mkdir -p ${cfg.path}
+            mkdir -p ${cfg.path}
-          if [ ! -f ${cfg.path}/${name}.pem ]; then
+            if [ ! -f ${cfg.path}/${name}.pem ]; then
-            ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
+              ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
-          fi
+            fi
-        '';
+          '';
-    }) cfg.params;
+      }) cfg.params;
  };
 }