diff options
author | Luke Granger-Brown <git@lukegb.com> | 2021-06-12 19:29:26 +0000 |
---|---|---|
committer | Luke Granger-Brown <git@lukegb.com> | 2021-10-08 01:21:57 +0000 |
commit | 1b74469cd087f4d08b9101fecc52f9ebae058e9f (patch) | |
tree | 48e3f98d7754e76bdeebaf14bf78887a226a9529 /nixos/modules/security/ca.nix | |
parent | 147a61ad5962bca470d62961d76a91fff5dde06a (diff) | |
download | nixpkgs-1b74469cd087f4d08b9101fecc52f9ebae058e9f.tar nixpkgs-1b74469cd087f4d08b9101fecc52f9ebae058e9f.tar.gz nixpkgs-1b74469cd087f4d08b9101fecc52f9ebae058e9f.tar.bz2 nixpkgs-1b74469cd087f4d08b9101fecc52f9ebae058e9f.tar.lz nixpkgs-1b74469cd087f4d08b9101fecc52f9ebae058e9f.tar.xz nixpkgs-1b74469cd087f4d08b9101fecc52f9ebae058e9f.tar.zst nixpkgs-1b74469cd087f4d08b9101fecc52f9ebae058e9f.zip |
nixos/ca: use cacert package build for options and p11-kit output
The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats).
Diffstat (limited to 'nixos/modules/security/ca.nix')
-rw-r--r-- | nixos/modules/security/ca.nix | 19 |
1 files changed, 9 insertions, 10 deletions
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 83c15f90f92..f71d9d90ec5 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -8,12 +8,10 @@ let cacertPackage = pkgs.cacert.override { blacklist = cfg.caCertificateBlacklist; + extraCertificateFiles = cfg.certificateFiles; + extraCertificateStrings = cfg.certificates; }; - - caCertificates = pkgs.runCommand "ca-certificates.crt" { - files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; - preferLocalBuild = true; - } "awk 1 $files > $out"; # awk ensures a newline between each pair of consecutive files + caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; in @@ -74,16 +72,17 @@ in config = { - security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ]; - # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. - environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates; + environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; # Old NixOS compatibility. - environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates; + environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; # CentOS/Fedora compatibility. - environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates; + environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; + + # P11-Kit trust source. + environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source"; }; |