diff --git a/default.nix b/default.nix
index 73a6b8e..37f804d 100644
--- a/default.nix
+++ b/default.nix
@@ -19,6 +19,7 @@ let
[ configuration
packages
./modules/alias.nix
+ ./modules/security/pki
./modules/system
./modules/system/checks.nix
./modules/system/activation-scripts.nix
diff --git a/modules/environment/default.nix b/modules/environment/default.nix
index 8ba0735..ae41065 100644
--- a/modules/environment/default.nix
+++ b/modules/environment/default.nix
@@ -3,7 +3,6 @@
with lib;
let
-
cfg = config.environment;
exportVariables =
@@ -13,10 +12,10 @@ let
mapAttrsFlatten (n: v: ''alias ${n}="${v}"'') cfg.shellAliases;
makeDrvBinPath = concatMapStringsSep ":" (p: if isDerivation p then "${p}/bin" else p);
+in
-in {
+{
options = {
-
environment.systemPackages = mkOption {
type = types.listOf types.package;
default = [];
@@ -147,7 +146,6 @@ in {
'';
type = types.lines;
};
-
};
config = {
@@ -172,8 +170,7 @@ in {
'';
environment.variables =
- { NIX_SSL_CERT_FILE = mkDefault "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
- EDITOR = mkDefault "nano";
+ { EDITOR = mkDefault "nano";
PAGER = mkDefault "less -R";
};
diff --git a/modules/security/pki/default.nix b/modules/security/pki/default.nix
new file mode 100644
index 0000000..b6e99d2
--- /dev/null
+++ b/modules/security/pki/default.nix
@@ -0,0 +1,82 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.security.pki;
+
+ cacertPackage = pkgs.cacert.override {
+ blacklist = cfg.caCertificateBlacklist;
+ };
+
+ caCertificates = pkgs.runCommand "ca-certificates.crt"
+ { files =
+ cfg.certificateFiles ++
+ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
+ }
+ ''
+ cat $files > $out
+ '';
+in
+
+{
+ options = {
+ security.pki.certificateFiles = mkOption {
+ type = types.listOf types.path;
+ default = [];
+ example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
+ description = ''
+ A list of files containing trusted root certificates in PEM
+ format. These are concatenated to form
+ /etc/ssl/certs/ca-certificates.crt, which is
+ used by many programs that use OpenSSL, such as
+ curl and git.
+ '';
+ };
+
+ security.pki.certificates = mkOption {
+ type = types.listOf types.str;
+ default = [];
+ example = literalExample ''
+ [ '''
+ NixOS.org
+ =========
+ -----BEGIN CERTIFICATE-----
+ MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
+ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
+ ...
+ -----END CERTIFICATE-----
+ '''
+ ]
+ '';
+ description = ''
+ A list of trusted root certificates in PEM format.
+ '';
+ };
+
+ security.pki.caCertificateBlacklist = mkOption {
+ type = types.listOf types.str;
+ default = [];
+ example = [
+ "WoSign" "WoSign China"
+ "CA WoSign ECC Root"
+ "Certification Authority of WoSign G2"
+ ];
+ description = ''
+ A list of blacklisted CA certificate names that won't be imported from
+ the Mozilla Trust Store into
+ /etc/ssl/certs/ca-certificates.crt. Use the
+ names from that file.
+ '';
+ };
+ };
+
+ config = {
+
+ security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
+
+ environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
+ environment.variables.NIX_SSL_CERT_FILE = mkDefault "/etc/ssl/certs/ca-certificates.crt";
+
+ };
+}