pyrox.dev / nixpkgs
lol
fork atom

nixos/qemu-vm: use CA certificates from host

Michael Hoang 98d970bc 285f5e85

options
unified split
Changed files
+36 -2
nixos
modules
profiles
macos-builder.nix
security
ca.nix
virtualisation
qemu-vm.nix
+4
nixos/modules/profiles/macos-builder.nix 
···

       
234

       
234

       
 

       
      # This ensures that anything built on the guest isn't lost when the guest is


     

       
235

       
235

       
 

       
      # restarted.


     

       
236

       
236

       
 

       
      writableStoreUseTmpfs = false;


     

       

       
237

       
+

       



     

       

       
238

       
+

       
      # Pass certificates from host to the guest otherwise when custom CA certificates


     

       

       
239

       
+

       
      # are required we can't use the cached builder.


     

       

       
240

       
+

       
      useHostCerts = true;


     

       
237

       
241

       
 

       
    };


     

       
238

       
242

       
 

       
  };


     

       
239

       
243

       
 

       
}
+5 -1
nixos/modules/security/ca.nix 
···

       
18

       
18

       
 

       
{


     

       
19

       
19

       
 

       



     

       
20

       
20

       
 

       
  options = {


     

       

       
21

       
+

       
    security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // {


     

       

       
22

       
+

       
      default = true;


     

       

       
23

       
+

       
      internal = true;


     

       

       
24

       
+

       
    };


     

       
21

       
25

       
 

       



     

       
22

       
26

       
 

       
    security.pki.certificateFiles = mkOption {


     

       
23

       
27

       
 

       
      type = types.listOf types.path;


     
···

       
70

       
74

       
 

       



     

       
71

       
75

       
 

       
  };


     

       
72

       
76

       
 

       



     

       
73

       

       
-

       
  config = {


     

       

       
77

       
+

       
  config = mkIf cfg.installCACerts {


     

       
74

       
78

       
 

       



     

       
75

       
79

       
 

       
    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.


     

       
76

       
80

       
 

       
    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
+27 -1
nixos/modules/virtualisation/qemu-vm.nix 
···

       
166

       
166

       
 

       
      # Create a directory for exchanging data with the VM.


     

       
167

       
167

       
 

       
      mkdir -p "$TMPDIR/xchg"


     

       
168

       
168

       
 

       



     

       

       
169

       
+

       
      ${lib.optionalString cfg.useHostCerts


     

       

       
170

       
+

       
      ''


     

       

       
171

       
+

       
        mkdir -p "$TMPDIR/certs"


     

       

       
172

       
+

       
        if [ -e "$NIX_SSL_CERT_FILE" ]; then


     

       

       
173

       
+

       
          cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt


     

       

       
174

       
+

       
        else


     

       

       
175

       
+

       
          echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled.


     

       

       
176

       
+

       
        fi


     

       

       
177

       
+

       
      ''}


     

       

       
178

       
+

       



     

       
169

       
179

       
 

       
      ${lib.optionalString cfg.useEFIBoot


     

       
170

       
180

       
 

       
      ''


     

       
171

       
181

       
 

       
        # Expose EFI variables, it's useful even when we are not using a bootloader (!).


     
···

       
877

       
887

       
 

       
          '';


     

       
878

       
888

       
 

       
      };


     

       
879

       
889

       
 

       



     

       
880

       

       
-

       



     

       
881

       
890

       
 

       
    virtualisation.bios =


     

       
882

       
891

       
 

       
      mkOption {


     

       
883

       
892

       
 

       
        type = types.nullOr types.package;


     
···

       
887

       
896

       
 

       
            An alternate BIOS (such as `qboot`) with which to start the VM.


     

       
888

       
897

       
 

       
            Should contain a file named `bios.bin`.


     

       
889

       
898

       
 

       
            If `null`, QEMU's builtin SeaBIOS will be used.


     

       

       
899

       
+

       
          '';


     

       

       
900

       
+

       
      };


     

       

       
901

       
+

       



     

       

       
902

       
+

       
    virtualisation.useHostCerts =


     

       

       
903

       
+

       
      mkOption {


     

       

       
904

       
+

       
        type = types.bool;


     

       

       
905

       
+

       
        default = false;


     

       

       
906

       
+

       
        description =


     

       

       
907

       
+

       
          lib.mdDoc ''


     

       

       
908

       
+

       
            If enabled, when `NIX_SSL_CERT_FILE` is set on the host,


     

       

       
909

       
+

       
            pass the CA certificates from the host to the VM.


     

       
890

       
910

       
 

       
          '';


     

       
891

       
911

       
 

       
      };


     

       
892

       
912

       
 

       



     
···

       
1024

       
1044

       
 

       
        source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"'';


     

       
1025

       
1045

       
 

       
        target = "/tmp/shared";


     

       
1026

       
1046

       
 

       
      };


     

       

       
1047

       
+

       
      certs = mkIf cfg.useHostCerts {


     

       

       
1048

       
+

       
        source = ''"$TMPDIR"/certs'';


     

       

       
1049

       
+

       
        target = "/etc/ssl/certs";


     

       

       
1050

       
+

       
      };


     

       
1027

       
1051

       
 

       
    };


     

       

       
1052

       
+

       



     

       

       
1053

       
+

       
    security.pki.installCACerts = mkIf cfg.useHostCerts false;


     

       
1028

       
1054

       
 

       



     

       
1029

       
1055

       
 

       
    virtualisation.qemu.networkingOptions =


     

       
1030

       
1056

       
 

       
      let