nixos/ca: use cacert package build for options and p11-kit output

The cacert package can now generate p11-kit-compatible output itself,
as well as generating the correct set of outputs for fully-joined
and unbundled "traditional" outputs (in standard PEM and
OpenSSL-compatible formats).
This commit is contained in:
Luke Granger-Brown 2021-06-12 19:29:26 +00:00
parent 147a61ad59
commit 1b74469cd0
2 changed files with 10 additions and 13 deletions

View File

@ -8,12 +8,10 @@ let
cacertPackage = pkgs.cacert.override { cacertPackage = pkgs.cacert.override {
blacklist = cfg.caCertificateBlacklist; blacklist = cfg.caCertificateBlacklist;
extraCertificateFiles = cfg.certificateFiles;
extraCertificateStrings = cfg.certificates;
}; };
caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt";
caCertificates = pkgs.runCommand "ca-certificates.crt" {
files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
preferLocalBuild = true;
} "awk 1 $files > $out"; # awk ensures a newline between each pair of consecutive files
in in
@ -74,16 +72,17 @@ in
config = { config = {
security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates; environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
# Old NixOS compatibility. # Old NixOS compatibility.
environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates; environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
# CentOS/Fedora compatibility. # CentOS/Fedora compatibility.
environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates; environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
# P11-Kit trust source.
environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";
}; };

View File

@ -117,9 +117,7 @@ let
then overrideCC stdenv llvmPackages.clangUseLLVM then overrideCC stdenv llvmPackages.clangUseLLVM
else stdenv; else stdenv;
# Disable p11-kit support in nss until our cacert packages has caught up exposing CKA_NSS_MOZILLA_CA_POLICY nss_pkg = if lib.versionOlder version "83" then nss_3_53 else nss;
# https://github.com/NixOS/nixpkgs/issues/126065
nss_pkg = if lib.versionOlder version "83" then nss_3_53 else nss.override { useP11kit = false; };
# --enable-release adds -ffunction-sections & LTO that require a big amount of # --enable-release adds -ffunction-sections & LTO that require a big amount of
# RAM and the 32-bit memory space cannot handle that linking # RAM and the 32-bit memory space cannot handle that linking