mirror of
https://github.com/LnL7/nix-darwin.git
synced 2025-03-05 08:17:01 +00:00
security.pki: add module to configure ca certificates
This makes NIX_SSL_CERT_FILE configurable and makes /etc/ssl/certs/ca-certificates.crt available like nixos.
This commit is contained in:
parent
61e30229cc
commit
2e525a93da
3 changed files with 86 additions and 6 deletions
|
@ -19,6 +19,7 @@ let
|
|||
[ configuration
|
||||
packages
|
||||
./modules/alias.nix
|
||||
./modules/security/pki
|
||||
./modules/system
|
||||
./modules/system/checks.nix
|
||||
./modules/system/activation-scripts.nix
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.environment;
|
||||
|
||||
exportVariables =
|
||||
|
@ -13,10 +12,10 @@ let
|
|||
mapAttrsFlatten (n: v: ''alias ${n}="${v}"'') cfg.shellAliases;
|
||||
|
||||
makeDrvBinPath = concatMapStringsSep ":" (p: if isDerivation p then "${p}/bin" else p);
|
||||
in
|
||||
|
||||
in {
|
||||
{
|
||||
options = {
|
||||
|
||||
environment.systemPackages = mkOption {
|
||||
type = types.listOf types.package;
|
||||
default = [];
|
||||
|
@ -147,7 +146,6 @@ in {
|
|||
'';
|
||||
type = types.lines;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = {
|
||||
|
@ -172,8 +170,7 @@ in {
|
|||
'';
|
||||
|
||||
environment.variables =
|
||||
{ NIX_SSL_CERT_FILE = mkDefault "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
|
||||
EDITOR = mkDefault "nano";
|
||||
{ EDITOR = mkDefault "nano";
|
||||
PAGER = mkDefault "less -R";
|
||||
};
|
||||
|
||||
|
|
82
modules/security/pki/default.nix
Normal file
82
modules/security/pki/default.nix
Normal file
|
@ -0,0 +1,82 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.security.pki;
|
||||
|
||||
cacertPackage = pkgs.cacert.override {
|
||||
blacklist = cfg.caCertificateBlacklist;
|
||||
};
|
||||
|
||||
caCertificates = pkgs.runCommand "ca-certificates.crt"
|
||||
{ files =
|
||||
cfg.certificateFiles ++
|
||||
[ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
|
||||
}
|
||||
''
|
||||
cat $files > $out
|
||||
'';
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
security.pki.certificateFiles = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
|
||||
description = ''
|
||||
A list of files containing trusted root certificates in PEM
|
||||
format. These are concatenated to form
|
||||
<filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
|
||||
used by many programs that use OpenSSL, such as
|
||||
<command>curl</command> and <command>git</command>.
|
||||
'';
|
||||
};
|
||||
|
||||
security.pki.certificates = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = literalExample ''
|
||||
[ '''
|
||||
NixOS.org
|
||||
=========
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
|
||||
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
|
||||
...
|
||||
-----END CERTIFICATE-----
|
||||
'''
|
||||
]
|
||||
'';
|
||||
description = ''
|
||||
A list of trusted root certificates in PEM format.
|
||||
'';
|
||||
};
|
||||
|
||||
security.pki.caCertificateBlacklist = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = [
|
||||
"WoSign" "WoSign China"
|
||||
"CA WoSign ECC Root"
|
||||
"Certification Authority of WoSign G2"
|
||||
];
|
||||
description = ''
|
||||
A list of blacklisted CA certificate names that won't be imported from
|
||||
the Mozilla Trust Store into
|
||||
<filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the
|
||||
names from that file.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
|
||||
security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
|
||||
|
||||
environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
|
||||
environment.variables.NIX_SSL_CERT_FILE = mkDefault "/etc/ssl/certs/ca-certificates.crt";
|
||||
|
||||
};
|
||||
}
|
Loading…
Add table
Reference in a new issue