@ -8,12 +8,10 @@ let
cacertPackage = pkgs . cacert . override {
blacklist = cfg . caCertificateBlacklist ;
extraCertificateFiles = cfg . certificateFiles ;
extraCertificateStrings = cfg . certificates ;
} ;
caCertificates = pkgs . runCommand " c a - c e r t i f i c a t e s . c r t " {
files = cfg . certificateFiles ++ [ ( builtins . toFile " e x t r a . c r t " ( concatStringsSep " \n " cfg . certificates ) ) ] ;
preferLocalBuild = true ;
} " a w k 1 $ f i l e s > $ o u t " ; # awk ensures a newline between each pair of consecutive files
caBundle = " ${ cacertPackage } / e t c / s s l / c e r t s / c a - b u n d l e . c r t " ;
in
@ -74,16 +72,17 @@ in
config = {
security . pki . certificateFiles = [ " ${ cacertPackage } / e t c / s s l / c e r t s / c a - b u n d l e . c r t " ] ;
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
environment . etc . " s s l / c e r t s / c a - c e r t i f i c a t e s . c r t " . source = caCertificates ;
environment . etc . " s s l / c e r t s / c a - c e r t i f i c a t e s . c r t " . source = caBundle ;
# Old NixOS compatibility.
environment . etc . " s s l / c e r t s / c a - b u n d l e . c r t " . source = caCertificates ;
environment . etc . " s s l / c e r t s / c a - b u n d l e . c r t " . source = caBundle ;
# CentOS/Fedora compatibility.
environment . etc . " p k i / t l s / c e r t s / c a - b u n d l e . c r t " . source = caCertificates ;
environment . etc . " p k i / t l s / c e r t s / c a - b u n d l e . c r t " . source = caBundle ;
# P11-Kit trust source.
environment . etc . " s s l / t r u s t - s o u r c e " . source = " ${ cacertPackage . p11kit } / e t c / s s l / t r u s t - s o u r c e " ;
} ;