nixos/modules/security/ca.nix at 17.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / security / ca.nix
at 17.09-beta 2.5 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6
 7  cfg = config.security.pki;
 8
 9  cacertPackage = pkgs.cacert.override {
10    blacklist = cfg.caCertificateBlacklist;
11  };
12
13  caCertificates = pkgs.runCommand "ca-certificates.crt"
14    { files =
15        cfg.certificateFiles ++
16        [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
17     }
18    ''
19      cat $files > $out
20    '';
21
22in
23
24{
25
26  options = {
27
28    security.pki.certificateFiles = mkOption {
29      type = types.listOf types.path;
30      default = [];
31      example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
32      description = ''
33        A list of files containing trusted root certificates in PEM
34        format. These are concatenated to form
35        <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
36        used by many programs that use OpenSSL, such as
37        <command>curl</command> and <command>git</command>.
38      '';
39    };
40
41    security.pki.certificates = mkOption {
42      type = types.listOf types.str;
43      default = [];
44      example = literalExample ''
45        [ '''
46            NixOS.org
47            =========
48            -----BEGIN CERTIFICATE-----
49            MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
50            TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
51            ...
52            -----END CERTIFICATE-----
53          '''
54        ]
55      '';
56      description = ''
57        A list of trusted root certificates in PEM format.
58      '';
59    };
60
61    security.pki.caCertificateBlacklist = mkOption {
62      type = types.listOf types.str;
63      default = [];
64      example = [
65        "WoSign" "WoSign China"
66        "CA WoSign ECC Root"
67        "Certification Authority of WoSign G2"
68      ];
69      description = ''
70        A list of blacklisted CA certificate names that won't be imported from
71        the Mozilla Trust Store into
72        <filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the
73        names from that file.
74      '';
75    };
76
77  };
78
79  config = {
80
81    security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
82
83    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
84    environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
85
86    # Old NixOS compatibility.
87    environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates;
88
89    # CentOS/Fedora compatibility.
90    environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
91
92  };
93
94}