nixos/modules/security/ca.nix at 21.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / security / ca.nix
at 21.11-pre 2.6 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6
 7  cfg = config.security.pki;
 8
 9  cacertPackage = pkgs.cacert.override {
10    blacklist = cfg.caCertificateBlacklist;
11  };
12
13  caCertificates = pkgs.runCommand "ca-certificates.crt" {
14    files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
15    preferLocalBuild = true;
16  } "awk 1 $files > $out";  # awk ensures a newline between each pair of consecutive files
17
18in
19
20{
21
22  options = {
23
24    security.pki.certificateFiles = mkOption {
25      type = types.listOf types.path;
26      default = [];
27      example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
28      description = ''
29        A list of files containing trusted root certificates in PEM
30        format. These are concatenated to form
31        <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
32        used by many programs that use OpenSSL, such as
33        <command>curl</command> and <command>git</command>.
34      '';
35    };
36
37    security.pki.certificates = mkOption {
38      type = types.listOf types.str;
39      default = [];
40      example = literalExample ''
41        [ '''
42            NixOS.org
43            =========
44            -----BEGIN CERTIFICATE-----
45            MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
46            TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
47            ...
48            -----END CERTIFICATE-----
49          '''
50        ]
51      '';
52      description = ''
53        A list of trusted root certificates in PEM format.
54      '';
55    };
56
57    security.pki.caCertificateBlacklist = mkOption {
58      type = types.listOf types.str;
59      default = [];
60      example = [
61        "WoSign" "WoSign China"
62        "CA WoSign ECC Root"
63        "Certification Authority of WoSign G2"
64      ];
65      description = ''
66        A list of blacklisted CA certificate names that won't be imported from
67        the Mozilla Trust Store into
68        <filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the
69        names from that file.
70      '';
71    };
72
73  };
74
75  config = {
76
77    security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
78
79    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
80    environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
81
82    # Old NixOS compatibility.
83    environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates;
84
85    # CentOS/Fedora compatibility.
86    environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
87
88  };
89
90}