nixos: Add release notes about dhparams changes

This is not only to make users aware of the changes but also to give a heads up to developers which are using the module. Specifically if they rely on security.dhparams.path only. Signed-off-by: aszlig <aszlig@nix.build>
2018-05-07 05:02:41 +02:00 · 2018-05-07 05:02:41 +02:00 · a8b7372380
commit a8b7372380
parent 81fc2c3509
1 changed files with 50 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-1809.xml
+++ b/nixos/doc/manual/release-notes/rl-1809.xml
@ -77,7 +77,57 @@ following incompatible changes:</para>
 <itemizedlist>
  <listitem>
    <para>
+      The module for <option>security.dhparams</option> has two new options
+      now:
    </para>
+
+    <variablelist>
+      <varlistentry>
+        <term><option>security.dhparams.stateless</option></term>
+        <listitem><para>
+          Puts the generated Diffie-Hellman parameters into the Nix store
+          instead of managing them in a stateful manner in
+          <filename class="directory">/var/lib/dhparams</filename>.
+        </para></listitem>
+      </varlistentry>
+      <varlistentry>
+        <term><option>security.dhparams.defaultBitSize</option></term>
+        <listitem><para>
+          The default bit size to use for the generated Diffie-Hellman
+          parameters.
+        </para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <note><para>
+      The path to the actual generated parameter files should now be queried
+      using
+      <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>
+      because it might be either in the Nix store or in a directory configured
+      by <option>security.dhparams.path</option>.
+    </para></note>
+
+    <note>
+      <title>For developers:</title>
+      <para>
+        Module implementers should not set a specific bit size in order to let
+        users configure it by themselves if they want to have a different bit
+        size than the default (2048).
+      </para>
+      <para>
+        An example usage of this would be:
+<programlisting>
+{ config, ... }:
+
+{
+  security.dhparams.params.myservice = {};
+  environment.etc."myservice.conf".text = ''
+    dhparams = ${config.security.dhparams.params.myservice.path}
+  '';
+}
+</programlisting>
+      </para>
+    </note>
  </listitem>
 </itemizedlist>