security.pki: add module to configure ca certificates

This makes NIX_SSL_CERT_FILE configurable and makes
/etc/ssl/certs/ca-certificates.crt available like nixos.

2 files changed, 85 insertions, 6 deletions

diff --git a/modules/environment/default.nix b/modules/environment/default.nix
index 8ba0735..ae41065 100644
--- a/modules/environment/default.nix
+++ b/modules/environment/default.nix
@@ -3,7 +3,6 @@
 with lib;
 
 let
-
   cfg = config.environment;
 
   exportVariables =
@@ -13,10 +12,10 @@ let
     mapAttrsFlatten (n: v: ''alias ${n}="${v}"'') cfg.shellAliases;
 
   makeDrvBinPath = concatMapStringsSep ":" (p: if isDerivation p then "${p}/bin" else p);
+in
 
-in {
+{
   options = {
-
     environment.systemPackages = mkOption {
       type = types.listOf types.package;
       default = [];
@@ -147,7 +146,6 @@ in {
       '';
       type = types.lines;
     };
-
   };
 
   config = {
@@ -172,8 +170,7 @@ in {
     '';
 
     environment.variables =
-      { NIX_SSL_CERT_FILE = mkDefault "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-        EDITOR = mkDefault "nano";
+      { EDITOR = mkDefault "nano";
         PAGER = mkDefault "less -R";
       };
 
diff --git a/modules/security/pki/default.nix b/modules/security/pki/default.nix
new file mode 100644
index 0000000..b6e99d2
--- /dev/null
+++ b/modules/security/pki/default.nix
@@ -0,0 +1,82 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.security.pki;
+
+  cacertPackage = pkgs.cacert.override {
+    blacklist = cfg.caCertificateBlacklist;
+  };
+
+  caCertificates = pkgs.runCommand "ca-certificates.crt"
+    { files =
+        cfg.certificateFiles ++
+        [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
+     }
+    ''
+      cat $files > $out
+    '';
+in
+
+{
+  options = {
+    security.pki.certificateFiles = mkOption {
+      type = types.listOf types.path;
+      default = [];
+      example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
+      description = ''
+        A list of files containing trusted root certificates in PEM
+        format. These are concatenated to form
+        <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
+        used by many programs that use OpenSSL, such as
+        <command>curl</command> and <command>git</command>.
+      '';
+    };
+
+    security.pki.certificates = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = literalExample ''
+        [ '''
+            NixOS.org
+            =========
+            -----BEGIN CERTIFICATE-----
+            MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
+            TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
+            ...
+            -----END CERTIFICATE-----
+          '''
+        ]
+      '';
+      description = ''
+        A list of trusted root certificates in PEM format.
+      '';
+    };
+
+    security.pki.caCertificateBlacklist = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = [
+        "WoSign" "WoSign China"
+        "CA WoSign ECC Root"
+        "Certification Authority of WoSign G2"
+      ];
+      description = ''
+        A list of blacklisted CA certificate names that won't be imported from
+        the Mozilla Trust Store into
+        <filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the
+        names from that file.
+      '';
+    };
+  };
+
+  config = {
+
+    security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
+
+    environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
+    environment.variables.NIX_SSL_CERT_FILE = mkDefault "/etc/ssl/certs/ca-certificates.crt";
+
+  };
+}