2014-04-14 15:26:48 +01:00
|
|
|
{ config, lib, pkgs, ... }:
|
2010-01-20 14:22:47 +00:00
|
|
|
|
2014-04-14 15:26:48 +01:00
|
|
|
with lib;
|
2010-01-20 14:22:47 +00:00
|
|
|
|
2015-02-15 17:55:07 +00:00
|
|
|
let
|
|
|
|
|
2016-09-01 22:40:05 +01:00
|
|
|
cfg = config.security.pki;
|
|
|
|
|
|
|
|
cacertPackage = pkgs.cacert.override {
|
|
|
|
blacklist = cfg.caCertificateBlacklist;
|
2021-06-12 20:29:26 +01:00
|
|
|
extraCertificateFiles = cfg.certificateFiles;
|
|
|
|
extraCertificateStrings = cfg.certificates;
|
2016-09-01 22:40:05 +01:00
|
|
|
};
|
2024-02-07 01:04:56 +00:00
|
|
|
caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt";
|
|
|
|
caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}";
|
2015-02-15 17:55:07 +00:00
|
|
|
|
|
|
|
in
|
|
|
|
|
2010-01-20 14:22:47 +00:00
|
|
|
{
|
|
|
|
|
2015-02-05 17:06:57 +00:00
|
|
|
options = {
|
2023-10-18 13:08:30 +01:00
|
|
|
security.pki.installCACerts = mkEnableOption "installing CA certificates to the system" // {
|
2023-06-07 03:41:59 +01:00
|
|
|
default = true;
|
|
|
|
internal = true;
|
|
|
|
};
|
2015-02-05 17:06:57 +00:00
|
|
|
|
2024-02-07 01:04:56 +00:00
|
|
|
security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle.
|
|
|
|
|
2024-06-03 17:59:45 +01:00
|
|
|
Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`,
|
|
|
|
which is an OpenSSL specific PEM format.
|
2024-02-07 01:04:56 +00:00
|
|
|
|
|
|
|
It is known to be incompatible with certain software stacks.
|
|
|
|
|
|
|
|
Nevertheless, enabling this will strip all additional trust rules provided by the
|
2024-06-03 17:59:45 +01:00
|
|
|
certificates themselves. This can have security consequences depending on your usecases
|
2024-02-07 01:04:56 +00:00
|
|
|
'';
|
|
|
|
|
2015-02-05 17:06:57 +00:00
|
|
|
security.pki.certificateFiles = mkOption {
|
|
|
|
type = types.listOf types.path;
|
|
|
|
default = [];
|
2021-10-03 17:06:03 +01:00
|
|
|
example = literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]'';
|
2015-02-05 17:06:57 +00:00
|
|
|
description = ''
|
|
|
|
A list of files containing trusted root certificates in PEM
|
|
|
|
format. These are concatenated to form
|
2016-01-29 01:32:05 +00:00
|
|
|
{file}`/etc/ssl/certs/ca-certificates.crt`, which is
|
2015-02-05 17:06:57 +00:00
|
|
|
used by many programs that use OpenSSL, such as
|
|
|
|
{command}`curl` and {command}`git`.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
security.pki.certificates = mkOption {
|
2015-06-15 17:18:46 +01:00
|
|
|
type = types.listOf types.str;
|
2015-02-05 17:06:57 +00:00
|
|
|
default = [];
|
2021-10-03 17:06:03 +01:00
|
|
|
example = literalExpression ''
|
2015-07-04 07:49:32 +01:00
|
|
|
[ '''
|
|
|
|
NixOS.org
|
|
|
|
=========
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
|
|
|
|
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
|
|
|
|
...
|
|
|
|
-----END CERTIFICATE-----
|
|
|
|
'''
|
|
|
|
]
|
2015-02-05 17:06:57 +00:00
|
|
|
'';
|
|
|
|
description = ''
|
|
|
|
A list of trusted root certificates in PEM format.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2016-09-01 22:40:05 +01:00
|
|
|
security.pki.caCertificateBlacklist = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [];
|
|
|
|
example = [
|
|
|
|
"WoSign" "WoSign China"
|
|
|
|
"CA WoSign ECC Root"
|
|
|
|
"Certification Authority of WoSign G2"
|
|
|
|
];
|
|
|
|
description = ''
|
|
|
|
A list of blacklisted CA certificate names that won't be imported from
|
|
|
|
the Mozilla Trust Store into
|
|
|
|
{file}`/etc/ssl/certs/ca-certificates.crt`. Use the
|
|
|
|
names from that file.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2015-02-05 17:06:57 +00:00
|
|
|
};
|
|
|
|
|
2023-06-07 03:41:59 +01:00
|
|
|
config = mkIf cfg.installCACerts {
|
2010-01-20 14:22:47 +00:00
|
|
|
|
2015-02-15 18:03:14 +00:00
|
|
|
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
|
2021-06-12 20:29:26 +01:00
|
|
|
environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
|
2015-02-15 18:03:14 +00:00
|
|
|
|
|
|
|
# Old NixOS compatibility.
|
2021-06-12 20:29:26 +01:00
|
|
|
environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
|
2015-02-15 17:55:07 +00:00
|
|
|
|
|
|
|
# CentOS/Fedora compatibility.
|
2021-06-12 20:29:26 +01:00
|
|
|
environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
|
|
|
|
|
|
|
|
# P11-Kit trust source.
|
|
|
|
environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";
|
2015-02-15 17:55:07 +00:00
|
|
|
|
2010-01-20 14:22:47 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
}
|