nixos/modules/security/ca.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / security / ca.nix
at 23.05-pre 2.5 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6
 7  cfg = config.security.pki;
 8
 9  cacertPackage = pkgs.cacert.override {
10    blacklist = cfg.caCertificateBlacklist;
11    extraCertificateFiles = cfg.certificateFiles;
12    extraCertificateStrings = cfg.certificates;
13  };
14  caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt";
15
16in
17
18{
19
20  options = {
21
22    security.pki.certificateFiles = mkOption {
23      type = types.listOf types.path;
24      default = [];
25      example = literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]'';
26      description = lib.mdDoc ''
27        A list of files containing trusted root certificates in PEM
28        format. These are concatenated to form
29        {file}`/etc/ssl/certs/ca-certificates.crt`, which is
30        used by many programs that use OpenSSL, such as
31        {command}`curl` and {command}`git`.
32      '';
33    };
34
35    security.pki.certificates = mkOption {
36      type = types.listOf types.str;
37      default = [];
38      example = literalExpression ''
39        [ '''
40            NixOS.org
41            =========
42            -----BEGIN CERTIFICATE-----
43            MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
44            TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
45            ...
46            -----END CERTIFICATE-----
47          '''
48        ]
49      '';
50      description = lib.mdDoc ''
51        A list of trusted root certificates in PEM format.
52      '';
53    };
54
55    security.pki.caCertificateBlacklist = mkOption {
56      type = types.listOf types.str;
57      default = [];
58      example = [
59        "WoSign" "WoSign China"
60        "CA WoSign ECC Root"
61        "Certification Authority of WoSign G2"
62      ];
63      description = lib.mdDoc ''
64        A list of blacklisted CA certificate names that won't be imported from
65        the Mozilla Trust Store into
66        {file}`/etc/ssl/certs/ca-certificates.crt`. Use the
67        names from that file.
68      '';
69    };
70
71  };
72
73  config = {
74
75    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
76    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
77
78    # Old NixOS compatibility.
79    environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
80
81    # CentOS/Fedora compatibility.
82    environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
83
84    # P11-Kit trust source.
85    environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";
86
87  };
88
89}