348858f297
According to the ABNF grammar for PEM files described in [RFC 7468][1], an eol character (i.e. a newline) is not mandatory after the posteb line (i.e. "-----END CERTIFICATE-----" in the case of certificates). This commit makes our CA certificate bundler expression account for the possibility that files in config.security.pki.certificateFiles might not have final newlines, by using `awk` instead of `cat` to concatenate them. (`awk` prints a final newline from each input file even if the file doesn't end with a newline.) [1]: https://datatracker.ietf.org/doc/html/rfc7468#section-3
90 lines
2.5 KiB
Nix
90 lines
2.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.security.pki;
|
|
|
|
cacertPackage = pkgs.cacert.override {
|
|
blacklist = cfg.caCertificateBlacklist;
|
|
};
|
|
|
|
caCertificates = pkgs.runCommand "ca-certificates.crt" {
|
|
files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
|
|
preferLocalBuild = true;
|
|
} "awk 1 $files > $out"; # awk ensures a newline between each pair of consecutive files
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
security.pki.certificateFiles = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [];
|
|
example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
|
|
description = ''
|
|
A list of files containing trusted root certificates in PEM
|
|
format. These are concatenated to form
|
|
<filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
|
|
used by many programs that use OpenSSL, such as
|
|
<command>curl</command> and <command>git</command>.
|
|
'';
|
|
};
|
|
|
|
security.pki.certificates = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
example = literalExample ''
|
|
[ '''
|
|
NixOS.org
|
|
=========
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
|
|
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
|
|
...
|
|
-----END CERTIFICATE-----
|
|
'''
|
|
]
|
|
'';
|
|
description = ''
|
|
A list of trusted root certificates in PEM format.
|
|
'';
|
|
};
|
|
|
|
security.pki.caCertificateBlacklist = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
example = [
|
|
"WoSign" "WoSign China"
|
|
"CA WoSign ECC Root"
|
|
"Certification Authority of WoSign G2"
|
|
];
|
|
description = ''
|
|
A list of blacklisted CA certificate names that won't be imported from
|
|
the Mozilla Trust Store into
|
|
<filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the
|
|
names from that file.
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
config = {
|
|
|
|
security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
|
|
|
|
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
|
|
environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
|
|
|
|
# Old NixOS compatibility.
|
|
environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates;
|
|
|
|
# CentOS/Fedora compatibility.
|
|
environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
|
|
|
|
};
|
|
|
|
}
|