95 lines
2.5 KiB
Nix
95 lines
2.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.security.pki;
|
|
|
|
cacertPackage = pkgs.cacert.override {
|
|
blacklist = cfg.caCertificateBlacklist;
|
|
};
|
|
|
|
caCertificates = pkgs.runCommand "ca-certificates.crt"
|
|
{ files =
|
|
cfg.certificateFiles ++
|
|
[ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
|
|
preferLocalBuild = true;
|
|
}
|
|
''
|
|
cat $files > $out
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
security.pki.certificateFiles = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [];
|
|
example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
|
|
description = ''
|
|
A list of files containing trusted root certificates in PEM
|
|
format. These are concatenated to form
|
|
<filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
|
|
used by many programs that use OpenSSL, such as
|
|
<command>curl</command> and <command>git</command>.
|
|
'';
|
|
};
|
|
|
|
security.pki.certificates = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
example = literalExample ''
|
|
[ '''
|
|
NixOS.org
|
|
=========
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
|
|
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
|
|
...
|
|
-----END CERTIFICATE-----
|
|
'''
|
|
]
|
|
'';
|
|
description = ''
|
|
A list of trusted root certificates in PEM format.
|
|
'';
|
|
};
|
|
|
|
security.pki.caCertificateBlacklist = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
example = [
|
|
"WoSign" "WoSign China"
|
|
"CA WoSign ECC Root"
|
|
"Certification Authority of WoSign G2"
|
|
];
|
|
description = ''
|
|
A list of blacklisted CA certificate names that won't be imported from
|
|
the Mozilla Trust Store into
|
|
<filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the
|
|
names from that file.
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
config = {
|
|
|
|
security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
|
|
|
|
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
|
|
environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
|
|
|
|
# Old NixOS compatibility.
|
|
environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates;
|
|
|
|
# CentOS/Fedora compatibility.
|
|
environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
|
|
|
|
};
|
|
|
|
}
|