nixpkgs/nixos/modules/security/ca.nix

{
  config,
  lib,
  pkgs,
  ...
}:
let

  cfg = config.security.pki;

  cacertPackage = pkgs.cacert.override {
    blacklist = cfg.caCertificateBlacklist;
    extraCertificateFiles = cfg.certificateFiles;
    extraCertificateStrings = cfg.certificates;
  };
  caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt";
  caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}";

in

{

  options = {
    security.pki.installCACerts = lib.mkEnableOption "installing CA certificates to the system" // {
      default = true;
      internal = true;
    };

    security.pki.useCompatibleBundle = lib.mkEnableOption ''
      usage of a compatibility bundle.

      Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`,
      which is an OpenSSL specific PEM format.

      It is known to be incompatible with certain software stacks.

      Nevertheless, enabling this will strip all additional trust rules provided by the
      certificates themselves. This can have security consequences depending on your usecases
    '';

    security.pki.certificateFiles = lib.mkOption {
      type = lib.types.listOf lib.types.path;
      default = [ ];
      example = lib.literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]'';
      description = ''
        A list of files containing trusted root certificates in PEM
        format. These are concatenated to form
        {file}`/etc/ssl/certs/ca-certificates.crt`, which is
        used by many programs that use OpenSSL, such as
        {command}`curl` and {command}`git`.
      '';
    };

    security.pki.certificates = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      example = lib.literalExpression ''
        [ '''
            NixOS.org
            =========
            -----BEGIN CERTIFICATE-----
            MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
            TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
            ...
            -----END CERTIFICATE-----
          '''
        ]
      '';
      description = ''
        A list of trusted root certificates in PEM format.
      '';
    };

    security.pki.caCertificateBlacklist = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      example = [
        "WoSign"
        "WoSign China"
        "CA WoSign ECC Root"
        "Certification Authority of WoSign G2"
      ];
      description = ''
        A list of blacklisted CA certificate names that won't be imported from
        the Mozilla Trust Store into
        {file}`/etc/ssl/certs/ca-certificates.crt`. Use the
        names from that file.
      '';
    };

  };

  config = lib.mkIf cfg.installCACerts {

    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;

    # Old NixOS compatibility.
    environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;

    # CentOS/Fedora compatibility.
    environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;

    # P11-Kit trust source.
    environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";

  };

}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 14:26:48 +00:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`
Provide symlinks to ca-bundle.crt for compat with other distros There is no "standard" location for the certificate bundle, so many programs/libraries have various hard-coded default locations that don't exist on NixOS. To make these more likely to work, provide some symlinks. 2015-02-15 17:55:07 +00:00			`let`

cacerts: refactor, add blacklist option Previously, the list of CA certificates was generated with a perl script which is included in curl. As this script is not very flexible, this commit refactors the expression to use the python script that Debian uses to generate their CA certificates from Mozilla's trust store in NSS. Additionally, an option was added to the cacerts derivation and the `security.pki` module to blacklist specific CAs. 2016-09-01 21:40:05 +00:00			`cfg = config.security.pki;`

			`cacertPackage = pkgs.cacert.override {`
			`blacklist = cfg.caCertificateBlacklist;`
nixos/ca: use cacert package build for options and p11-kit output The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats). 2021-06-12 19:29:26 +00:00			`extraCertificateFiles = cfg.certificateFiles;`
			`extraCertificateStrings = cfg.certificates;`
cacerts: refactor, add blacklist option Previously, the list of CA certificates was generated with a perl script which is included in curl. As this script is not very flexible, this commit refactors the expression to use the python script that Debian uses to generate their CA certificates from Mozilla's trust store in NSS. Additionally, an option was added to the cacerts derivation and the `security.pki` module to blacklist specific CAs. 2016-09-01 21:40:05 +00:00			`};`
nixos/security/ca: enable support for compatibility bundles Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use our NixOS CA bundle. For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional trust rules. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-02-07 01:04:56 +00:00			`caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt";`
			`caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}";`
Provide symlinks to ca-bundle.crt for compat with other distros There is no "standard" location for the certificate bundle, so many programs/libraries have various hard-coded default locations that don't exist on NixOS. To make these more likely to work, provide some symlinks. 2015-02-15 17:55:07 +00:00
			`in`

* Provide a bundle of CA certificates in /etc/ca-bundle.crt, and set the CURL_CA_BUNDLE environment variable. This allows curl to work without the `-k' flag on https sites with a properly signed certificate. svn path=/nixos/trunk/; revision=19572 2010-01-20 14:22:47 +00:00			`{`

Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`options = {`
nixos/security.pki: remove `with lib;` 2024-12-08 12:18:21 +00:00			`security.pki.installCACerts = lib.mkEnableOption "installing CA certificates to the system" // {`
nixos/qemu-vm: use CA certificates from host 2023-06-07 02:41:59 +00:00			`default = true;`
			`internal = true;`
			`};`
Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00
nixos/security.pki: remove `with lib;` 2024-12-08 12:18:21 +00:00			`security.pki.useCompatibleBundle = lib.mkEnableOption ''`
nixos/ca: fix description formatting Right now most of the text is treated as a code block 2024-10-28 14:03:11 +00:00			`usage of a compatibility bundle.`
nixos/security/ca: enable support for compatibility bundles Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use our NixOS CA bundle. For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional trust rules. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-02-07 01:04:56 +00:00
treewide: fix mkEnableOption usage 2024-06-03 16:59:45 +00:00			Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`,
			`which is an OpenSSL specific PEM format.`
nixos/security/ca: enable support for compatibility bundles Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use our NixOS CA bundle. For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional trust rules. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-02-07 01:04:56 +00:00
			`It is known to be incompatible with certain software stacks.`

			`Nevertheless, enabling this will strip all additional trust rules provided by the`
treewide: fix mkEnableOption usage 2024-06-03 16:59:45 +00:00			`certificates themselves. This can have security consequences depending on your usecases`
nixos/security/ca: enable support for compatibility bundles Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use our NixOS CA bundle. For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional trust rules. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-02-07 01:04:56 +00:00			`'';`

nixos/security.pki: remove `with lib;` 2024-12-08 12:18:21 +00:00			`security.pki.certificateFiles = lib.mkOption {`
			`type = lib.types.listOf lib.types.path;`
Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`default = [ ];`
nixos/security.pki: remove `with lib;` 2024-12-08 12:18:21 +00:00			`example = lib.literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]'';`
Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`description = ''`
			`A list of files containing trusted root certificates in PEM`
			`format. These are concatenated to form`
Fix some references to deprecated /etc/ssl/certs/ca-bundle.crt 2016-01-29 01:32:05 +00:00			{file}`/etc/ssl/certs/ca-certificates.crt`, which is
Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`used by many programs that use OpenSSL, such as`
			{command}`curl` and {command}`git`.
			`'';`
			`};`

nixos/security.pki: remove `with lib;` 2024-12-08 12:18:21 +00:00			`security.pki.certificates = lib.mkOption {`
			`type = lib.types.listOf lib.types.str;`
Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`default = [ ];`
nixos/security.pki: remove `with lib;` 2024-12-08 12:18:21 +00:00			`example = lib.literalExpression ''`
cacert: fix formatting of example 2015-07-04 06:49:32 +00:00			`[ '''`
			`NixOS.org`
			`=========`
			`-----BEGIN CERTIFICATE-----`
			`MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ`
			`TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0`
			`...`
			`-----END CERTIFICATE-----`
			`'''`
			`]`
Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`'';`
			`description = ''`
			`A list of trusted root certificates in PEM format.`
			`'';`
			`};`

nixos/security.pki: remove `with lib;` 2024-12-08 12:18:21 +00:00			`security.pki.caCertificateBlacklist = lib.mkOption {`
			`type = lib.types.listOf lib.types.str;`
cacerts: refactor, add blacklist option Previously, the list of CA certificates was generated with a perl script which is included in curl. As this script is not very flexible, this commit refactors the expression to use the python script that Debian uses to generate their CA certificates from Mozilla's trust store in NSS. Additionally, an option was added to the cacerts derivation and the `security.pki` module to blacklist specific CAs. 2016-09-01 21:40:05 +00:00			`default = [ ];`
			`example = [`
			`"WoSign"`
			`"WoSign China"`
			`"CA WoSign ECC Root"`
			`"Certification Authority of WoSign G2"`
			`];`
			`description = ''`
			`A list of blacklisted CA certificate names that won't be imported from`
			`the Mozilla Trust Store into`
			{file}`/etc/ssl/certs/ca-certificates.crt`. Use the
			`names from that file.`
			`'';`
			`};`

Add options for installing additional root certificates 2015-02-05 17:06:57 +00:00			`};`

nixos/security.pki: remove `with lib;` 2024-12-08 12:18:21 +00:00			`config = lib.mkIf cfg.installCACerts {`
* Provide a bundle of CA certificates in /etc/ca-bundle.crt, and set the CURL_CA_BUNDLE environment variable. This allows curl to work without the `-k' flag on https sites with a properly signed certificate. svn path=/nixos/trunk/; revision=19572 2010-01-20 14:22:47 +00:00
/etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt Even though there is no "official" standard location, it's better to stick to what most distros are using. 2015-02-15 18:03:14 +00:00			`# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.`
nixos/ca: use cacert package build for options and p11-kit output The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats). 2021-06-12 19:29:26 +00:00			`environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;`
/etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt Even though there is no "official" standard location, it's better to stick to what most distros are using. 2015-02-15 18:03:14 +00:00
			`# Old NixOS compatibility.`
nixos/ca: use cacert package build for options and p11-kit output The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats). 2021-06-12 19:29:26 +00:00			`environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;`
Provide symlinks to ca-bundle.crt for compat with other distros There is no "standard" location for the certificate bundle, so many programs/libraries have various hard-coded default locations that don't exist on NixOS. To make these more likely to work, provide some symlinks. 2015-02-15 17:55:07 +00:00
			`# CentOS/Fedora compatibility.`
nixos/ca: use cacert package build for options and p11-kit output The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats). 2021-06-12 19:29:26 +00:00			`environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;`

			`# P11-Kit trust source.`
			`environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";`
Provide symlinks to ca-bundle.crt for compat with other distros There is no "standard" location for the certificate bundle, so many programs/libraries have various hard-coded default locations that don't exist on NixOS. To make these more likely to work, provide some symlinks. 2015-02-15 17:55:07 +00:00
* Provide a bundle of CA certificates in /etc/ca-bundle.crt, and set the CURL_CA_BUNDLE environment variable. This allows curl to work without the `-k' flag on https sites with a properly signed certificate. svn path=/nixos/trunk/; revision=19572 2010-01-20 14:22:47 +00:00			`};`

			`}`