nixos/dhparams: Add a defaultBitSize option

This allows to set the default bit size for all the Diffie-Hellman
parameters defined in security.dhparams.params and it's particularly
useful so that we can set it to a very low value in tests (so it doesn't
take ages to generate).

Regardless for the use in testing, this also has an impact in production
systems if the owner wants to set all of them to a different size than
2048, they don't need to set it individually for every params that are
set.

I've added a subtest to the "dhparams" NixOS test to ensure this is
working properly.

Signed-off-by: aszlig <aszlig@nix.build>

1 files changed, 14 insertions, 0 deletions

diff --git a/nixos/tests/dhparams.nix b/nixos/tests/dhparams.nix
index da75391e4ce5..d11dfeec5d0c 100644
--- a/nixos/tests/dhparams.nix
+++ b/nixos/tests/dhparams.nix
@@ -54,6 +54,13 @@ in import ./make-test.nix {
     security.dhparams.params.bar2.bits = 19;
   };
 
+  nodes.generation5 = {
+    imports = [ common ];
+    security.dhparams.defaultBitSize = 30;
+    security.dhparams.params.foo3 = {};
+    security.dhparams.params.bar3 = {};
+  };
+
   testScript = { nodes, ... }: let
     getParamPath = gen: name: let
       node = "generation${toString gen}";
@@ -126,5 +133,12 @@ in import ./make-test.nix {
         'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}',
       );
     };
+
+    ${switchToGeneration 5}
+
+    subtest "check whether defaultBitSize works as intended", sub {
+      ${assertParamBits 5 "foo3" 30}
+      ${assertParamBits 5 "bar3" 30}
+    };
   '';
 }