nixos/ca: use cacert package build for options and p11-kit output

The cacert package can now generate p11-kit-compatible output itself, as well as generating the correct set of outputs for fully-joined and unbundled "traditional" outputs (in standard PEM and OpenSSL-compatible formats).
3 years ago · 1b74469cd0
parent 147a61ad59
commit 1b74469cd0
2 changed files with 10 additions and 13 deletions
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@ -8,12 +8,10 @@ let

  cacertPackage = pkgs.cacert.override {
    blacklist = cfg.caCertificateBlacklist;
+    extraCertificateFiles = cfg.certificateFiles;
+    extraCertificateStrings = cfg.certificates;
  };
-
-  caCertificates = pkgs.runCommand "ca-certificates.crt" {
-    files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
-    preferLocalBuild = true;
-  } "awk 1 $files > $out";  # awk ensures a newline between each pair of consecutive files
+  caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt";

 in

@ -74,16 +72,17 @@ in

  config = {

-    security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
-
    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
-    environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
+    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;

    # Old NixOS compatibility.
-    environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates;
+    environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;

    # CentOS/Fedora compatibility.
-    environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
+    environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
+
+    # P11-Kit trust source.
+    environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";

  };

--- a/pkgs/applications/networking/browsers/firefox/common.nix
+++ b/pkgs/applications/networking/browsers/firefox/common.nix
@ -117,9 +117,7 @@ let
                then overrideCC stdenv llvmPackages.clangUseLLVM
                else stdenv;

-  # Disable p11-kit support in nss until our cacert packages has caught up exposing CKA_NSS_MOZILLA_CA_POLICY
-  # https://github.com/NixOS/nixpkgs/issues/126065
-  nss_pkg = if lib.versionOlder version "83" then nss_3_53 else nss.override { useP11kit = false; };
+  nss_pkg = if lib.versionOlder version "83" then nss_3_53 else nss;

  # --enable-release adds -ffunction-sections & LTO that require a big amount of
  # RAM and the 32-bit memory space cannot handle that linking