diff options
| author | Michael Hoang <enzime@users.noreply.github.com> | 2023-06-07 12:41:59 +1000 |
|---|---|---|
| committer | Michael Hoang <enzime@users.noreply.github.com> | 2023-07-06 21:32:08 +1000 |
| commit | 98d970bc375c37a2f9c5c276d80ae2a3d8b1e4a5 (patch) | |
| tree | a740cce8f08ec5b752302f27ce29da51faf48b5d | |
| parent | 285f5e858eb204ecf08a60c40a99aee1d2dc7bd1 (diff) | |
| download | nixpkgs-98d970bc375c37a2f9c5c276d80ae2a3d8b1e4a5.tar nixpkgs-98d970bc375c37a2f9c5c276d80ae2a3d8b1e4a5.tar.gz nixpkgs-98d970bc375c37a2f9c5c276d80ae2a3d8b1e4a5.tar.bz2 nixpkgs-98d970bc375c37a2f9c5c276d80ae2a3d8b1e4a5.tar.lz nixpkgs-98d970bc375c37a2f9c5c276d80ae2a3d8b1e4a5.tar.xz nixpkgs-98d970bc375c37a2f9c5c276d80ae2a3d8b1e4a5.tar.zst nixpkgs-98d970bc375c37a2f9c5c276d80ae2a3d8b1e4a5.zip | |
nixos/qemu-vm: use CA certificates from host
| -rw-r--r-- | nixos/modules/profiles/macos-builder.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/security/ca.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 28 |
3 files changed, 36 insertions, 2 deletions
diff --git a/nixos/modules/profiles/macos-builder.nix b/nixos/modules/profiles/macos-builder.nix index f1c991d6ffa..7ed68f06476 100644 --- a/nixos/modules/profiles/macos-builder.nix +++ b/nixos/modules/profiles/macos-builder.nix @@ -234,6 +234,10 @@ in # This ensures that anything built on the guest isn't lost when the guest is # restarted. writableStoreUseTmpfs = false; + + # Pass certificates from host to the guest otherwise when custom CA certificates + # are required we can't use the cached builder. + useHostCerts = true; }; }; } diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index c704e2c1f51..3cd56bff04d 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -18,6 +18,10 @@ in { options = { + security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // { + default = true; + internal = true; + }; security.pki.certificateFiles = mkOption { type = types.listOf types.path; @@ -70,7 +74,7 @@ in }; - config = { + config = mkIf cfg.installCACerts { # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 4aac0fa90e8..d0a5ddd87cc 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -166,6 +166,16 @@ let # Create a directory for exchanging data with the VM. mkdir -p "$TMPDIR/xchg" + ${lib.optionalString cfg.useHostCerts + '' + mkdir -p "$TMPDIR/certs" + if [ -e "$NIX_SSL_CERT_FILE" ]; then + cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt + else + echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled. + fi + ''} + ${lib.optionalString cfg.useEFIBoot '' # Expose EFI variables, it's useful even when we are not using a bootloader (!). @@ -877,7 +887,6 @@ in ''; }; - virtualisation.bios = mkOption { type = types.nullOr types.package; @@ -890,6 +899,17 @@ in ''; }; + virtualisation.useHostCerts = + mkOption { + type = types.bool; + default = false; + description = + lib.mdDoc '' + If enabled, when `NIX_SSL_CERT_FILE` is set on the host, + pass the CA certificates from the host to the VM. + ''; + }; + }; config = { @@ -1024,8 +1044,14 @@ in source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"''; target = "/tmp/shared"; }; + certs = mkIf cfg.useHostCerts { + source = ''"$TMPDIR"/certs''; + target = "/etc/ssl/certs"; + }; }; + security.pki.installCACerts = mkIf cfg.useHostCerts false; + virtualisation.qemu.networkingOptions = let forwardingOptions = flip concatMapStrings cfg.forwardPorts |