nixos/ca: use cacert package build for options and p11-kit output
The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats).
This commit is contained in:
parent
147a61ad59
commit
1b74469cd0
@ -8,12 +8,10 @@ let
|
|||||||
|
|
||||||
cacertPackage = pkgs.cacert.override {
|
cacertPackage = pkgs.cacert.override {
|
||||||
blacklist = cfg.caCertificateBlacklist;
|
blacklist = cfg.caCertificateBlacklist;
|
||||||
|
extraCertificateFiles = cfg.certificateFiles;
|
||||||
|
extraCertificateStrings = cfg.certificates;
|
||||||
};
|
};
|
||||||
|
caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt";
|
||||||
caCertificates = pkgs.runCommand "ca-certificates.crt" {
|
|
||||||
files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
|
|
||||||
preferLocalBuild = true;
|
|
||||||
} "awk 1 $files > $out"; # awk ensures a newline between each pair of consecutive files
|
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
@ -74,16 +72,17 @@ in
|
|||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
|
||||||
security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
|
|
||||||
|
|
||||||
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
|
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
|
||||||
environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
|
environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
|
||||||
|
|
||||||
# Old NixOS compatibility.
|
# Old NixOS compatibility.
|
||||||
environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates;
|
environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
|
||||||
|
|
||||||
# CentOS/Fedora compatibility.
|
# CentOS/Fedora compatibility.
|
||||||
environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
|
environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
|
||||||
|
|
||||||
|
# P11-Kit trust source.
|
||||||
|
environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -117,9 +117,7 @@ let
|
|||||||
then overrideCC stdenv llvmPackages.clangUseLLVM
|
then overrideCC stdenv llvmPackages.clangUseLLVM
|
||||||
else stdenv;
|
else stdenv;
|
||||||
|
|
||||||
# Disable p11-kit support in nss until our cacert packages has caught up exposing CKA_NSS_MOZILLA_CA_POLICY
|
nss_pkg = if lib.versionOlder version "83" then nss_3_53 else nss;
|
||||||
# https://github.com/NixOS/nixpkgs/issues/126065
|
|
||||||
nss_pkg = if lib.versionOlder version "83" then nss_3_53 else nss.override { useP11kit = false; };
|
|
||||||
|
|
||||||
# --enable-release adds -ffunction-sections & LTO that require a big amount of
|
# --enable-release adds -ffunction-sections & LTO that require a big amount of
|
||||||
# RAM and the 32-bit memory space cannot handle that linking
|
# RAM and the 32-bit memory space cannot handle that linking
|
||||||
|
Loading…
Reference in New Issue
Block a user