From f940a179053e54de0d46aada5b42502f7563f45f Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 20 Apr 2019 18:54:58 +0200 Subject: tv pki: immigrate certificate environment --- tv/2configs/pki/default.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 tv/2configs/pki/default.nix (limited to 'tv/2configs/pki/default.nix') diff --git a/tv/2configs/pki/default.nix b/tv/2configs/pki/default.nix new file mode 100644 index 000000000..f22b9a6da --- /dev/null +++ b/tv/2configs/pki/default.nix @@ -0,0 +1,14 @@ +with import ; +{ config, ... }: let + + certFile = config.environment.etc."ssl/certs/ca-certificates.crt".source; + +in { + + environment.variables = flip genAttrs (_: toString certFile) [ + "CURL_CA_BUNDLE" + "GIT_SSL_CAINFO" + "SSL_CERT_FILE" + ]; + +} -- cgit v1.2.3 From 325119c2834610cb6840e116d79963d2c23cdc8a Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Apr 2019 09:19:37 +0200 Subject: tv pki: import custom certificates --- tv/2configs/pki/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'tv/2configs/pki/default.nix') diff --git a/tv/2configs/pki/default.nix b/tv/2configs/pki/default.nix index f22b9a6da..9e7f4763d 100644 --- a/tv/2configs/pki/default.nix +++ b/tv/2configs/pki/default.nix @@ -11,4 +11,10 @@ in { "SSL_CERT_FILE" ]; + security.pki.certificateFiles = + mapAttrsToList + (name: const (./certs + "/${name}")) + (filterAttrs (const (eq "regular")) + (readDir ./certs)); + } -- cgit v1.2.3 From c195713bc283d2a378f4c5c23d57df9d222add48 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 23 Apr 2019 19:57:23 +0200 Subject: tv pki: generate global nssdb --- tv/2configs/pki/default.nix | 50 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) (limited to 'tv/2configs/pki/default.nix') diff --git a/tv/2configs/pki/default.nix b/tv/2configs/pki/default.nix index 9e7f4763d..51a5c716f 100644 --- a/tv/2configs/pki/default.nix +++ b/tv/2configs/pki/default.nix @@ -1,10 +1,58 @@ with import ; -{ config, ... }: let +{ config, pkgs, ... }: let certFile = config.environment.etc."ssl/certs/ca-certificates.crt".source; in { + environment.etc."pki/nssdb".source = + pkgs.runCommand "system-wide-nssdb" { + inherit certFile; + buildInputs = [ + pkgs.jq + pkgs.nssTools + ]; + parseInfoScript = /* jq */ '' + ${toJSON certFile} as $certFile | + + split("\t-----END CERTIFICATE-----\n")[] | + select(test("\t-----BEGIN CERTIFICATE-----\n")) | + . + "\t-----END CERTIFICATE-----\n" | + + sub("^([0-9]+\t\n)*";"") | + + (match("^([0-9]+)\t").captures[0].string | tonumber) as $lineNumber | + + gsub("(?m)^[0-9]+\t";"") | + + match("^([^\n]+)\n(.*)";"m").captures | map(.string) | + + # Line numbers are added to the names to ensure uniqueness. + "\(.[0]) (\($certFile):\($lineNumber))" as $name | + .[1] as $cert | + + { $name, $cert } + ''; + passAsFile = [ + "parseInfoScript" + ]; + } /* sh */ '' + mkdir nssdb + + nl -ba -w1 "$certFile" | + jq -ceRs -f "$parseInfoScriptPath" > certinfo.ndjson + + exec < certinfo.ndjson + while read -r certinfo; do + name=$(printf %s "$certinfo" | jq -er .name) + cert=$(printf %s "$certinfo" | jq -er .cert) + + printf %s "$cert" | certutil -A -d nssdb -n "$name" -t C,C,C + done + + mv nssdb "$out" + ''; + environment.variables = flip genAttrs (_: toString certFile) [ "CURL_CA_BUNDLE" "GIT_SSL_CAINFO" -- cgit v1.2.3