dhparams service: init

[abbradar]

This adds a service which generates Diffie-Hellman parameters for daemons that need them. Parameters are stored in /var/lib/dhparams by default. I've added some documentation describing their purpose and example settings for nginx (analogous to our acme module).

I've found out about #11505 post-factum. The main difference between our solutions is that I don't store generated parameters in the Nix store, avoiding non-determinism. Personally I like that solution more (a thought of purposely non-deterministic Nix outputs contradicts my views on Nix ~_^), but I understand some advantages of doing it as an output and am open for discussion.

cc @fpletz

[mention-bot]

By analyzing the blame information on this pull request, we identified @edolstra, @nbp and @bjornfor to be potential reviewers

[globin]

See this, too mayflower@f55e544

[edolstra]

I'm not so sure about this. This seems like a pretty large wrapper around what is essentially just a one-line call to openssl dhparam. If nginx needs DH parameters, wouldn't it be better to do that in the nginx preStart script? It also seems strange to specify nginx configuration outside of services.nginx.

[abbradar]

I thought about that too, but it seemed to me that it would be too much boilerplate copied between different services. Some I know of that need DH parameters are Postfix, ejabberd, nginx and OpenVPN -- I also have a real-world configuration that needs four different generated parameters for different services.

EDIT: On the other hand, each service requires different configuration options that can be set by respective services automatically if we take "copy-for-each-service" route...