pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6
7 caCertificates = pkgs.runCommand "ca-certificates.crt"
8 { files =
9 config.security.pki.certificateFiles ++
10 [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ];
11 }
12 ''
13 cat $files > $out
14 '';
15
16in
17
18{
19
20 options = {
21
22 security.pki.certificateFiles = mkOption {
23 type = types.listOf types.path;
24 default = [];
25 example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
26 description = ''
27 A list of files containing trusted root certificates in PEM
28 format. These are concatenated to form
29 <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
30 used by many programs that use OpenSSL, such as
31 <command>curl</command> and <command>git</command>.
32 '';
33 };
34
35 security.pki.certificates = mkOption {
36 type = types.listOf types.str;
37 default = [];
38 example = literalExample ''
39 [ '''
40 NixOS.org
41 =========
42 -----BEGIN CERTIFICATE-----
43 MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
44 TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
45 ...
46 -----END CERTIFICATE-----
47 '''
48 ]
49 '';
50 description = ''
51 A list of trusted root certificates in PEM format.
52 '';
53 };
54
55 };
56
57 config = {
58
59 security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
60
61 # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
62 environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
63
64 # Old NixOS compatibility.
65 environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates;
66
67 # CentOS/Fedora compatibility.
68 environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
69
70 };
71
72}