pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6
7 caBundle = pkgs.runCommand "ca-bundle.crt"
8 { files =
9 config.security.pki.certificateFiles ++
10 [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ];
11 }
12 ''
13 cat $files > $out
14 '';
15
16in
17
18{
19
20 options = {
21
22 security.pki.certificateFiles = mkOption {
23 type = types.listOf types.path;
24 default = [];
25 example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
26 description = ''
27 A list of files containing trusted root certificates in PEM
28 format. These are concatenated to form
29 <filename>/etc/ssl/certs/ca-bundle.crt</filename>, which is
30 used by many programs that use OpenSSL, such as
31 <command>curl</command> and <command>git</command>.
32 '';
33 };
34
35 security.pki.certificates = mkOption {
36 type = types.listOf types.str;
37 default = [];
38 example = singleton ''
39 NixOS.org
40 =========
41 -----BEGIN CERTIFICATE-----
42 MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
43 TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
44 ...
45 -----END CERTIFICATE-----
46 '';
47 description = ''
48 A list of trusted root certificates in PEM format.
49 '';
50 };
51
52 };
53
54 config = {
55
56 security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
57
58 # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
59 environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
60
61 # Old NixOS compatibility.
62 environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
63
64 # CentOS/Fedora compatibility.
65 environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
66
67 environment.sessionVariables =
68 { SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
69 # FIXME: unneeded - remove eventually.
70 GIT_SSL_CAINFO = "/etc/ssl/certs/ca-certificates.crt";
71 };
72
73 };
74
75}