nixos/modules/security/ca.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / security / ca.nix
at 23.11-beta 2.6 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6
 7  cfg = config.security.pki;
 8
 9  cacertPackage = pkgs.cacert.override {
10    blacklist = cfg.caCertificateBlacklist;
11    extraCertificateFiles = cfg.certificateFiles;
12    extraCertificateStrings = cfg.certificates;
13  };
14  caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt";
15
16in
17
18{
19
20  options = {
21    security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // {
22      default = true;
23      internal = true;
24    };
25
26    security.pki.certificateFiles = mkOption {
27      type = types.listOf types.path;
28      default = [];
29      example = literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]'';
30      description = lib.mdDoc ''
31        A list of files containing trusted root certificates in PEM
32        format. These are concatenated to form
33        {file}`/etc/ssl/certs/ca-certificates.crt`, which is
34        used by many programs that use OpenSSL, such as
35        {command}`curl` and {command}`git`.
36      '';
37    };
38
39    security.pki.certificates = mkOption {
40      type = types.listOf types.str;
41      default = [];
42      example = literalExpression ''
43        [ '''
44            NixOS.org
45            =========
46            -----BEGIN CERTIFICATE-----
47            MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
48            TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
49            ...
50            -----END CERTIFICATE-----
51          '''
52        ]
53      '';
54      description = lib.mdDoc ''
55        A list of trusted root certificates in PEM format.
56      '';
57    };
58
59    security.pki.caCertificateBlacklist = mkOption {
60      type = types.listOf types.str;
61      default = [];
62      example = [
63        "WoSign" "WoSign China"
64        "CA WoSign ECC Root"
65        "Certification Authority of WoSign G2"
66      ];
67      description = lib.mdDoc ''
68        A list of blacklisted CA certificate names that won't be imported from
69        the Mozilla Trust Store into
70        {file}`/etc/ssl/certs/ca-certificates.crt`. Use the
71        names from that file.
72      '';
73    };
74
75  };
76
77  config = mkIf cfg.installCACerts {
78
79    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
80    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
81
82    # Old NixOS compatibility.
83    environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
84
85    # CentOS/Fedora compatibility.
86    environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
87
88    # P11-Kit trust source.
89    environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";
90
91  };
92
93}