security.pki: add module to configure ca certificates

This makes NIX_SSL_CERT_FILE configurable and makes /etc/ssl/certs/ca-certificates.crt available like nixos.
2025-03-05 08:17:01 +00:00 · 2019-01-15 21:55:08 +01:00 · 2019-01-15 21:55:08 +01:00 · 2e525a93da
commit 2e525a93da
parent 61e30229cc
3 changed files with 86 additions and 6 deletions
--- a/default.nix
+++ b/default.nix
@ -19,6 +19,7 @@ let
      [ configuration
        packages
        ./modules/alias.nix
+        ./modules/security/pki
        ./modules/system
        ./modules/system/checks.nix
        ./modules/system/activation-scripts.nix
--- a/modules/environment/default.nix
+++ b/modules/environment/default.nix
@ -3,7 +3,6 @@
 with lib;

 let
-
  cfg = config.environment;

  exportVariables =
@ -13,10 +12,10 @@ let
    mapAttrsFlatten (n: v: ''alias ${n}="${v}"'') cfg.shellAliases;

  makeDrvBinPath = concatMapStringsSep ":" (p: if isDerivation p then "${p}/bin" else p);
+in

-in {
+{
  options = {
-
    environment.systemPackages = mkOption {
      type = types.listOf types.package;
      default = [];
@ -147,7 +146,6 @@ in {
      '';
      type = types.lines;
    };
-
  };

  config = {
@ -172,8 +170,7 @@ in {
    '';

    environment.variables =
-      { NIX_SSL_CERT_FILE = mkDefault "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-        EDITOR = mkDefault "nano";
+      { EDITOR = mkDefault "nano";
        PAGER = mkDefault "less -R";
      };

--- a/modules/security/pki/default.nix
+++ b/modules/security/pki/default.nix
@ -0,0 +1,82 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.security.pki;
+
+  cacertPackage = pkgs.cacert.override {
+    blacklist = cfg.caCertificateBlacklist;
+  };
+
+  caCertificates = pkgs.runCommand "ca-certificates.crt"
+    { files =
+        cfg.certificateFiles ++
+        [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
+     }
+    ''
+      cat $files > $out
+    '';
+in
+
+{
+  options = {
+    security.pki.certificateFiles = mkOption {
+      type = types.listOf types.path;
+      default = [];
+      example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
+      description = ''
+        A list of files containing trusted root certificates in PEM
+        format. These are concatenated to form
+        <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
+        used by many programs that use OpenSSL, such as
+        <command>curl</command> and <command>git</command>.
+      '';
+    };
+
+    security.pki.certificates = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = literalExample ''
+        [ '''
+            NixOS.org
+            =========
+            -----BEGIN CERTIFICATE-----
+            MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
+            TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
+            ...
+            -----END CERTIFICATE-----
+          '''
+        ]
+      '';
+      description = ''
+        A list of trusted root certificates in PEM format.
+      '';
+    };
+
+    security.pki.caCertificateBlacklist = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = [
+        "WoSign" "WoSign China"
+        "CA WoSign ECC Root"
+        "Certification Authority of WoSign G2"
+      ];
+      description = ''
+        A list of blacklisted CA certificate names that won't be imported from
+        the Mozilla Trust Store into
+        <filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the
+        names from that file.
+      '';
+    };
+  };
+
+  config = {
+
+    security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
+
+    environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
+    environment.variables.NIX_SSL_CERT_FILE = mkDefault "/etc/ssl/certs/ca-certificates.crt";
+
+  };
+}