diff options
-rw-r--r-- | nixos/modules/security/ca.nix | 19 | ||||
-rw-r--r-- | pkgs/applications/networking/browsers/firefox/common.nix | 4 |
2 files changed, 10 insertions, 13 deletions
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 83c15f90f92..f71d9d90ec5 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -8,12 +8,10 @@ let cacertPackage = pkgs.cacert.override { blacklist = cfg.caCertificateBlacklist; + extraCertificateFiles = cfg.certificateFiles; + extraCertificateStrings = cfg.certificates; }; - - caCertificates = pkgs.runCommand "ca-certificates.crt" { - files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; - preferLocalBuild = true; - } "awk 1 $files > $out"; # awk ensures a newline between each pair of consecutive files + caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; in @@ -74,16 +72,17 @@ in config = { - security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ]; - # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. - environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates; + environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; # Old NixOS compatibility. - environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates; + environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; # CentOS/Fedora compatibility. - environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates; + environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; + + # P11-Kit trust source. + environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source"; }; diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix index 2600b5209bb..a1a215aefcb 100644 --- a/pkgs/applications/networking/browsers/firefox/common.nix +++ b/pkgs/applications/networking/browsers/firefox/common.nix @@ -117,9 +117,7 @@ let then overrideCC stdenv llvmPackages.clangUseLLVM else stdenv; - # Disable p11-kit support in nss until our cacert packages has caught up exposing CKA_NSS_MOZILLA_CA_POLICY - # https://github.com/NixOS/nixpkgs/issues/126065 - nss_pkg = if lib.versionOlder version "83" then nss_3_53 else nss.override { useP11kit = false; }; + nss_pkg = if lib.versionOlder version "83" then nss_3_53 else nss; # --enable-release adds -ffunction-sections & LTO that require a big amount of # RAM and the 32-bit memory space cannot handle that linking |