0d59fc1169
Previously, the list of CA certificates was generated with a perl script which is included in curl. As this script is not very flexible, this commit refactors the expression to use the python script that Debian uses to generate their CA certificates from Mozilla's trust store in NSS. Additionally, an option was added to the cacerts derivation and the `security.pki` module to blacklist specific CAs.
94 lines
2.5 KiB
Nix
94 lines
2.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.security.pki;
|
|
|
|
cacertPackage = pkgs.cacert.override {
|
|
blacklist = cfg.caCertificateBlacklist;
|
|
};
|
|
|
|
caCertificates = pkgs.runCommand "ca-certificates.crt"
|
|
{ files =
|
|
cfg.certificateFiles ++
|
|
[ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
|
|
}
|
|
''
|
|
cat $files > $out
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
security.pki.certificateFiles = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [];
|
|
example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
|
|
description = ''
|
|
A list of files containing trusted root certificates in PEM
|
|
format. These are concatenated to form
|
|
<filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
|
|
used by many programs that use OpenSSL, such as
|
|
<command>curl</command> and <command>git</command>.
|
|
'';
|
|
};
|
|
|
|
security.pki.certificates = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
example = literalExample ''
|
|
[ '''
|
|
NixOS.org
|
|
=========
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
|
|
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
|
|
...
|
|
-----END CERTIFICATE-----
|
|
'''
|
|
]
|
|
'';
|
|
description = ''
|
|
A list of trusted root certificates in PEM format.
|
|
'';
|
|
};
|
|
|
|
security.pki.caCertificateBlacklist = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
example = [
|
|
"WoSign" "WoSign China"
|
|
"CA WoSign ECC Root"
|
|
"Certification Authority of WoSign G2"
|
|
];
|
|
description = ''
|
|
A list of blacklisted CA certificate names that won't be imported from
|
|
the Mozilla Trust Store into
|
|
<filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the
|
|
names from that file.
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
config = {
|
|
|
|
security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
|
|
|
|
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
|
|
environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
|
|
|
|
# Old NixOS compatibility.
|
|
environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates;
|
|
|
|
# CentOS/Fedora compatibility.
|
|
environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
|
|
|
|
};
|
|
|
|
}
|