pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / security / ca.nix
at 25.11-pre 3.6 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 cfg = config.security.pki; 9 10 cacertPackage = pkgs.cacert.override { 11 blacklist = cfg.caCertificateBlacklist; 12 extraCertificateFiles = cfg.certificateFiles; 13 extraCertificateStrings = cfg.certificates; 14 }; 15 caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt"; 16 caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}"; 17 18in 19 20{ 21 22 options = { 23 security.pki.installCACerts = lib.mkEnableOption "installing CA certificates to the system" // { 24 default = true; 25 internal = true; 26 }; 27 28 security.pki.useCompatibleBundle = lib.mkEnableOption '' 29 usage of a compatibility bundle. 30 31 Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, 32 which is an OpenSSL specific PEM format. 33 34 It is known to be incompatible with certain software stacks. 35 36 Nevertheless, enabling this will strip all additional trust rules provided by the 37 certificates themselves. This can have security consequences depending on your usecases 38 ''; 39 40 security.pki.certificateFiles = lib.mkOption { 41 type = lib.types.listOf lib.types.path; 42 default = [ ]; 43 example = lib.literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]''; 44 description = '' 45 A list of files containing trusted root certificates in PEM 46 format. These are concatenated to form 47 {file}`/etc/ssl/certs/ca-certificates.crt`, which is 48 used by many programs that use OpenSSL, such as 49 {command}`curl` and {command}`git`. 50 ''; 51 }; 52 53 security.pki.certificates = lib.mkOption { 54 type = lib.types.listOf lib.types.str; 55 default = [ ]; 56 example = lib.literalExpression '' 57 [ ''' 58 NixOS.org 59 ========= 60 -----BEGIN CERTIFICATE----- 61 MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ 62 TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 63 ... 64 -----END CERTIFICATE----- 65 ''' 66 ] 67 ''; 68 description = '' 69 A list of trusted root certificates in PEM format. 70 ''; 71 }; 72 73 security.pki.caCertificateBlacklist = lib.mkOption { 74 type = lib.types.listOf lib.types.str; 75 default = [ ]; 76 example = [ 77 "WoSign" 78 "WoSign China" 79 "CA WoSign ECC Root" 80 "Certification Authority of WoSign G2" 81 ]; 82 description = '' 83 A list of blacklisted CA certificate names that won't be imported from 84 the Mozilla Trust Store into 85 {file}`/etc/ssl/certs/ca-certificates.crt`. Use the 86 names from that file. 87 ''; 88 }; 89 90 security.pki.caBundle = lib.mkOption { 91 type = lib.types.path; 92 readOnly = true; 93 description = '' 94 (Read-only) the path to the final bundle of certificate authorities as a single file. 95 ''; 96 }; 97 }; 98 99 config = lib.mkMerge [ 100 (lib.mkIf cfg.installCACerts { 101 102 # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. 103 environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; 104 105 # Old NixOS compatibility. 106 environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; 107 108 # CentOS/Fedora compatibility. 109 environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; 110 111 # P11-Kit trust source. 112 environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source"; 113 }) 114 { security.pki.caBundle = caBundle; } 115 ]; 116 117}