From 98d970bc375c37a2f9c5c276d80ae2a3d8b1e4a5 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Wed, 7 Jun 2023 12:41:59 +1000 Subject: nixos/qemu-vm: use CA certificates from host --- nixos/modules/virtualisation/qemu-vm.nix | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'nixos/modules/virtualisation') diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 4aac0fa90e8..d0a5ddd87cc 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -166,6 +166,16 @@ let # Create a directory for exchanging data with the VM. mkdir -p "$TMPDIR/xchg" + ${lib.optionalString cfg.useHostCerts + '' + mkdir -p "$TMPDIR/certs" + if [ -e "$NIX_SSL_CERT_FILE" ]; then + cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt + else + echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled. + fi + ''} + ${lib.optionalString cfg.useEFIBoot '' # Expose EFI variables, it's useful even when we are not using a bootloader (!). @@ -877,7 +887,6 @@ in ''; }; - virtualisation.bios = mkOption { type = types.nullOr types.package; @@ -890,6 +899,17 @@ in ''; }; + virtualisation.useHostCerts = + mkOption { + type = types.bool; + default = false; + description = + lib.mdDoc '' + If enabled, when `NIX_SSL_CERT_FILE` is set on the host, + pass the CA certificates from the host to the VM. + ''; + }; + }; config = { @@ -1024,8 +1044,14 @@ in source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"''; target = "/tmp/shared"; }; + certs = mkIf cfg.useHostCerts { + source = ''"$TMPDIR"/certs''; + target = "/etc/ssl/certs"; + }; }; + security.pki.installCACerts = mkIf cfg.useHostCerts false; + virtualisation.qemu.networkingOptions = let forwardingOptions = flip concatMapStrings cfg.forwardPorts -- cgit 1.4.1