From 2e525a93da518525567987c8097787e2aa22fd7a Mon Sep 17 00:00:00 2001 From: Daiderd Jordan Date: Tue, 15 Jan 2019 21:55:08 +0100 Subject: [PATCH] security.pki: add module to configure ca certificates This makes NIX_SSL_CERT_FILE configurable and makes /etc/ssl/certs/ca-certificates.crt available like nixos. --- default.nix | 1 + modules/environment/default.nix | 9 ++-- modules/security/pki/default.nix | 82 ++++++++++++++++++++++++++++++++ 3 files changed, 86 insertions(+), 6 deletions(-) create mode 100644 modules/security/pki/default.nix diff --git a/default.nix b/default.nix index 73a6b8e4..37f804de 100644 --- a/default.nix +++ b/default.nix @@ -19,6 +19,7 @@ let [ configuration packages ./modules/alias.nix + ./modules/security/pki ./modules/system ./modules/system/checks.nix ./modules/system/activation-scripts.nix diff --git a/modules/environment/default.nix b/modules/environment/default.nix index 8ba0735e..ae410653 100644 --- a/modules/environment/default.nix +++ b/modules/environment/default.nix @@ -3,7 +3,6 @@ with lib; let - cfg = config.environment; exportVariables = @@ -13,10 +12,10 @@ let mapAttrsFlatten (n: v: ''alias ${n}="${v}"'') cfg.shellAliases; makeDrvBinPath = concatMapStringsSep ":" (p: if isDerivation p then "${p}/bin" else p); +in -in { +{ options = { - environment.systemPackages = mkOption { type = types.listOf types.package; default = []; @@ -147,7 +146,6 @@ in { ''; type = types.lines; }; - }; config = { @@ -172,8 +170,7 @@ in { ''; environment.variables = - { NIX_SSL_CERT_FILE = mkDefault "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - EDITOR = mkDefault "nano"; + { EDITOR = mkDefault "nano"; PAGER = mkDefault "less -R"; }; diff --git a/modules/security/pki/default.nix b/modules/security/pki/default.nix new file mode 100644 index 00000000..b6e99d26 --- /dev/null +++ b/modules/security/pki/default.nix @@ -0,0 +1,82 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.security.pki; + + cacertPackage = pkgs.cacert.override { + blacklist = cfg.caCertificateBlacklist; + }; + + caCertificates = pkgs.runCommand "ca-certificates.crt" + { files = + cfg.certificateFiles ++ + [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; + } + '' + cat $files > $out + ''; +in + +{ + options = { + security.pki.certificateFiles = mkOption { + type = types.listOf types.path; + default = []; + example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]"; + description = '' + A list of files containing trusted root certificates in PEM + format. These are concatenated to form + /etc/ssl/certs/ca-certificates.crt, which is + used by many programs that use OpenSSL, such as + curl and git. + ''; + }; + + security.pki.certificates = mkOption { + type = types.listOf types.str; + default = []; + example = literalExample '' + [ ''' + NixOS.org + ========= + -----BEGIN CERTIFICATE----- + MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ + TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 + ... + -----END CERTIFICATE----- + ''' + ] + ''; + description = '' + A list of trusted root certificates in PEM format. + ''; + }; + + security.pki.caCertificateBlacklist = mkOption { + type = types.listOf types.str; + default = []; + example = [ + "WoSign" "WoSign China" + "CA WoSign ECC Root" + "Certification Authority of WoSign G2" + ]; + description = '' + A list of blacklisted CA certificate names that won't be imported from + the Mozilla Trust Store into + /etc/ssl/certs/ca-certificates.crt. Use the + names from that file. + ''; + }; + }; + + config = { + + security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ]; + + environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates; + environment.variables.NIX_SSL_CERT_FILE = mkDefault "/etc/ssl/certs/ca-certificates.crt"; + + }; +}