summary refs log tree commit diff
path: root/nixos/modules/security
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2015-02-05 18:06:57 +0100
committerEelco Dolstra <eelco.dolstra@logicblox.com>2015-02-05 18:08:35 +0100
commitd2bfb5ceb08bed179a996969119a4c72b8eb147a (patch)
tree15e33b3cc4de32f8f6ea59053a11ca79c12065b2 /nixos/modules/security
parent35e333241c4018eaf54aaf588f8189ec4e92807b (diff)
downloadnixlib-d2bfb5ceb08bed179a996969119a4c72b8eb147a.tar
nixlib-d2bfb5ceb08bed179a996969119a4c72b8eb147a.tar.gz
nixlib-d2bfb5ceb08bed179a996969119a4c72b8eb147a.tar.bz2
nixlib-d2bfb5ceb08bed179a996969119a4c72b8eb147a.tar.lz
nixlib-d2bfb5ceb08bed179a996969119a4c72b8eb147a.tar.xz
nixlib-d2bfb5ceb08bed179a996969119a4c72b8eb147a.tar.zst
nixlib-d2bfb5ceb08bed179a996969119a4c72b8eb147a.zip
Add options for installing additional root certificates
Diffstat (limited to 'nixos/modules/security')
-rw-r--r--nixos/modules/security/ca.nix45


1 files changed, 44 insertions, 1 deletions
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix
index f430a5a6339f..e070ffc95e43 100644
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@@ -4,10 +4,53 @@ with lib;
 
 {
 
+  options = {
+
+    security.pki.certificateFiles = mkOption {
+      type = types.listOf types.path;
+      default = [];
+      example = literalExample "[ \"\${pkgs.cacert}/etc/ca-bundle.crt\" ]";
+      description = ''
+        A list of files containing trusted root certificates in PEM
+        format. These are concatenated to form
+        <filename>/etc/ssl/certs/ca-bundle.crt</filename>, which is
+        used by many programs that use OpenSSL, such as
+        <command>curl</command> and <command>git</command>.
+      '';
+    };
+
+    security.pki.certificates = mkOption {
+      type = types.listOf types.string;
+      default = [];
+      example = singleton ''
+        NixOS.org
+        =========
+        -----BEGIN CERTIFICATE-----
+        MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
+        TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
+        ...
+        -----END CERTIFICATE-----
+      '';
+      description = ''
+        A list of trusted root certificates in PEM format.
+      '';
+    };
+
+  };
+
   config = {
 
+    security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ca-bundle.crt" ];
+
     environment.etc =
-      [ { source = "${pkgs.cacert}/etc/ca-bundle.crt";
+      [ { source = pkgs.runCommand "ca-bundle.crt"
+          { files =
+              config.security.pki.certificateFiles ++
+              [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ];
+           }
+          ''
+            cat $files > $out
+          '';
           target = "ssl/certs/ca-bundle.crt";
         }
       ];

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-04 10:27:59 +0000