nixpkgs/nixos/modules/security/ca.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.security.pki;

  cacertPackage = pkgs.cacert.override {
    blacklist = cfg.caCertificateBlacklist;
    extraCertificateFiles = cfg.certificateFiles;
    extraCertificateStrings = cfg.certificates;
  };
  caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt";

in

{

  options = {

    security.pki.certificateFiles = mkOption {
      type = types.listOf types.path;
      default = [];
      example = literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]'';
      description = lib.mdDoc ''
        A list of files containing trusted root certificates in PEM
        format. These are concatenated to form
        {file}`/etc/ssl/certs/ca-certificates.crt`, which is
        used by many programs that use OpenSSL, such as
        {command}`curl` and {command}`git`.
      '';
    };

    security.pki.certificates = mkOption {
      type = types.listOf types.str;
      default = [];
      example = literalExpression ''
        [ '''
            NixOS.org
            =========
            -----BEGIN CERTIFICATE-----
            MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
            TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
            ...
            -----END CERTIFICATE-----
          '''
        ]
      '';
      description = lib.mdDoc ''
        A list of trusted root certificates in PEM format.
      '';
    };

    security.pki.caCertificateBlacklist = mkOption {
      type = types.listOf types.str;
      default = [];
      example = [
        "WoSign" "WoSign China"
        "CA WoSign ECC Root"
        "Certification Authority of WoSign G2"
      ];
      description = lib.mdDoc ''
        A list of blacklisted CA certificate names that won't be imported from
        the Mozilla Trust Store into
        {file}`/etc/ssl/certs/ca-certificates.crt`. Use the
        names from that file.
      '';
    };

  };

  config = {

    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;

    # Old NixOS compatibility.
    environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;

    # CentOS/Fedora compatibility.
    environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;

    # P11-Kit trust source.
    environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";

  };

}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 14:26:48 +00:00			`{ config, lib, pkgs, ... }:`
* Provide a bundle of CA certificates in /etc/ca-bundle.crt, and set the CURL_CA_BUNDLE environment variable. This allows curl to work without the `-k' flag on https sites with a properly signed certificate. svn path=/nixos/trunk/; revision=19572 2010-01-20 14:22:47 +00:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 14:26:48 +00:00			`with lib;`
* Provide a bundle of CA certificates in /etc/ca-bundle.crt, and set the CURL_CA_BUNDLE environment variable. This allows curl to work without the `-k' flag on https sites with a properly signed certificate. svn path=/nixos/trunk/; revision=19572 2010-01-20 14:22:47 +00:00
Provide symlinks to ca-bundle.crt for compat with other distros There is no "standard" location for the certificate bundle, so many programs/libraries have various hard-coded default locations that don't exist on NixOS. To make these more likely to work, provide some symlinks. 2015-02-15 17:55:07 +00:00			`let`

cacerts: refactor, add blacklist option Previously, the list of CA certificates was generated with a perl script which is included in curl. As this script is not very flexible, this commit refactors the expression to use the python script that Debian uses to generate their CA certificates from Mozilla's trust store in NSS. Additionally, an option was added to the cacerts derivation and the `security.pki` module to blacklist specific CAs. 2016-09-01 21:40:05 +00:00			`cfg = config.security.pki;`

			`cacertPackage = pkgs.cacert.override {`
			`blacklist = cfg.caCertificateBlacklist;`
nixos/ca: use cacert package build for options and p11-kit output The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats). 2021-06-12 19:29:26 +00:00			`extraCertificateFiles = cfg.certificateFiles;`
			`extraCertificateStrings = cfg.certificates;`
cacerts: refactor, add blacklist option Previously, the list of CA certificates was generated with a perl script which is included in curl. As this script is not very flexible, this commit refactors the expression to use the python script that Debian uses to generate their CA certificates from Mozilla's trust store in NSS. Additionally, an option was added to the cacerts derivation and the `security.pki` module to blacklist specific CAs. 2016-09-01 21:40:05 +00:00			`};`
nixos/ca: use cacert package build for options and p11-kit output The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats). 2021-06-12 19:29:26 +00:00			`caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt";`
Provide symlinks to ca-bundle.crt for compat with other distros There is no "standard" location for the certificate bundle, so many programs/libraries have various hard-coded default locations that don't exist on NixOS. To make these more likely to work, provide some symlinks. 2015-02-15 17:55:07 +00:00
			`in`

* Provide a bundle of CA certificates in /etc/ca-bundle.crt, and set the CURL_CA_BUNDLE environment variable. This allows curl to work without the `-k' flag on https sites with a properly signed certificate. svn path=/nixos/trunk/; revision=19572 2010-01-20 14:22:47 +00:00			`{`

Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`options = {`

			`security.pki.certificateFiles = mkOption {`
			`type = types.listOf types.path;`
			`default = [];`
nixos/doc: clean up defaults and examples 2021-10-03 16:06:03 +00:00			`example = literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]'';`
Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`description = lib.mdDoc ''`
			`A list of files containing trusted root certificates in PEM`
			`format. These are concatenated to form`
Fix some references to deprecated /etc/ssl/certs/ca-bundle.crt 2016-01-29 01:32:05 +00:00			{file}`/etc/ssl/certs/ca-certificates.crt`, which is
Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`used by many programs that use OpenSSL, such as`
			{command}`curl` and {command}`git`.
			`'';`
			`};`

			`security.pki.certificates = mkOption {`
Some more type cleanup 2015-06-15 16:18:46 +00:00			`type = types.listOf types.str;`
Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`default = [];`
nixos/doc: clean up defaults and examples 2021-10-03 16:06:03 +00:00			`example = literalExpression ''`
cacert: fix formatting of example 2015-07-04 06:49:32 +00:00			`[ '''`
			`NixOS.org`
			`=========`
			`-----BEGIN CERTIFICATE-----`
			`MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ`
			`TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0`
			`...`
			`-----END CERTIFICATE-----`
			`'''`
			`]`
Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`'';`
			`description = lib.mdDoc ''`
			`A list of trusted root certificates in PEM format.`
			`'';`
			`};`

cacerts: refactor, add blacklist option Previously, the list of CA certificates was generated with a perl script which is included in curl. As this script is not very flexible, this commit refactors the expression to use the python script that Debian uses to generate their CA certificates from Mozilla's trust store in NSS. Additionally, an option was added to the cacerts derivation and the `security.pki` module to blacklist specific CAs. 2016-09-01 21:40:05 +00:00			`security.pki.caCertificateBlacklist = mkOption {`
			`type = types.listOf types.str;`
			`default = [];`
			`example = [`
			`"WoSign" "WoSign China"`
			`"CA WoSign ECC Root"`
			`"Certification Authority of WoSign G2"`
			`];`
			`description = lib.mdDoc ''`
			`A list of blacklisted CA certificate names that won't be imported from`
			`the Mozilla Trust Store into`
			{file}`/etc/ssl/certs/ca-certificates.crt`. Use the
			`names from that file.`
			`'';`
			`};`

Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`};`

* Provide a bundle of CA certificates in /etc/ca-bundle.crt, and set the CURL_CA_BUNDLE environment variable. This allows curl to work without the `-k' flag on https sites with a properly signed certificate. svn path=/nixos/trunk/; revision=19572 2010-01-20 14:22:47 +00:00			`config = {`

/etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt Even though there is no "official" standard location, it's better to stick to what most distros are using. 2015-02-15 18:03:14 +00:00			`# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.`
nixos/ca: use cacert package build for options and p11-kit output The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats). 2021-06-12 19:29:26 +00:00			`environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;`
/etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt Even though there is no "official" standard location, it's better to stick to what most distros are using. 2015-02-15 18:03:14 +00:00
			`# Old NixOS compatibility.`
nixos/ca: use cacert package build for options and p11-kit output The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats). 2021-06-12 19:29:26 +00:00			`environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;`
Provide symlinks to ca-bundle.crt for compat with other distros There is no "standard" location for the certificate bundle, so many programs/libraries have various hard-coded default locations that don't exist on NixOS. To make these more likely to work, provide some symlinks. 2015-02-15 17:55:07 +00:00
			`# CentOS/Fedora compatibility.`
nixos/ca: use cacert package build for options and p11-kit output The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats). 2021-06-12 19:29:26 +00:00			`environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;`

			`# P11-Kit trust source.`
			`environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";`
Provide symlinks to ca-bundle.crt for compat with other distros There is no "standard" location for the certificate bundle, so many programs/libraries have various hard-coded default locations that don't exist on NixOS. To make these more likely to work, provide some symlinks. 2015-02-15 17:55:07 +00:00
* Provide a bundle of CA certificates in /etc/ca-bundle.crt, and set the CURL_CA_BUNDLE environment variable. This allows curl to work without the `-k' flag on https sites with a properly signed certificate. svn path=/nixos/trunk/; revision=19572 2010-01-20 14:22:47 +00:00			`};`

			`}`