diff options
| author | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:33 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:57 +0000 |
| commit | 9ff36293d1e428cd7bf03e8d4b03611b6d361c28 (patch) | |
| tree | 1ab51a42b868c55b83f6ccdb80371b9888739dd9 /nixos/modules/security/ca.nix | |
| parent | 1c4fcd0d4b0541e674ee56ace1053e23e562cc80 (diff) | |
| parent | ddc3c396a51918043bb0faa6f676abd9562be62c (diff) | |
| download | nixpkgs-archive.tar nixpkgs-archive.tar.gz nixpkgs-archive.tar.bz2 nixpkgs-archive.tar.lz nixpkgs-archive.tar.xz nixpkgs-archive.tar.zst nixpkgs-archive.zip | |
Last good Nixpkgs for Weston+nouveau? archive
I came this commit hash to terwiz[m] on IRC, who is trying to figure out what the last version of Spectrum that worked on their NUC with Nvidia graphics is.
Diffstat (limited to 'nixos/modules/security/ca.nix')
| -rw-r--r-- | nixos/modules/security/ca.nix | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix new file mode 100644 index 00000000000..f71d9d90ec5 --- /dev/null +++ b/nixos/modules/security/ca.nix @@ -0,0 +1,89 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security.pki; + + cacertPackage = pkgs.cacert.override { + blacklist = cfg.caCertificateBlacklist; + extraCertificateFiles = cfg.certificateFiles; + extraCertificateStrings = cfg.certificates; + }; + caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; + +in + +{ + + options = { + + security.pki.certificateFiles = mkOption { + type = types.listOf types.path; + default = []; + example = literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]''; + description = '' + A list of files containing trusted root certificates in PEM + format. These are concatenated to form + <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is + used by many programs that use OpenSSL, such as + <command>curl</command> and <command>git</command>. + ''; + }; + + security.pki.certificates = mkOption { + type = types.listOf types.str; + default = []; + example = literalExpression '' + [ ''' + NixOS.org + ========= + -----BEGIN CERTIFICATE----- + MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ + TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 + ... + -----END CERTIFICATE----- + ''' + ] + ''; + description = '' + A list of trusted root certificates in PEM format. + ''; + }; + + security.pki.caCertificateBlacklist = mkOption { + type = types.listOf types.str; + default = []; + example = [ + "WoSign" "WoSign China" + "CA WoSign ECC Root" + "Certification Authority of WoSign G2" + ]; + description = '' + A list of blacklisted CA certificate names that won't be imported from + the Mozilla Trust Store into + <filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the + names from that file. + ''; + }; + + }; + + config = { + + # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. + environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; + + # Old NixOS compatibility. + environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; + + # CentOS/Fedora compatibility. + environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; + + # P11-Kit trust source. + environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source"; + + }; + +} |