Merge pull request #8062 from edolstra/ssl-cert-file
Add a setting for configuring the SSL certificates file
This commit is contained in:
commit
5a0f5b5c34
|
@ -42,14 +42,11 @@ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
|
||||||
> You must not add the export and then do the install, as the Nix
|
> You must not add the export and then do the install, as the Nix
|
||||||
> installer will detect the presence of Nix configuration, and abort.
|
> installer will detect the presence of Nix configuration, and abort.
|
||||||
|
|
||||||
## `NIX_SSL_CERT_FILE` with macOS and the Nix daemon
|
If you use the Nix daemon, you should also add the following to
|
||||||
|
`/etc/nix/nix.conf`:
|
||||||
|
|
||||||
On macOS you must specify the environment variable for the Nix daemon
|
```
|
||||||
service, then restart it:
|
ssl-cert-file = /etc/ssl/my-certificate-bundle.crt
|
||||||
|
|
||||||
```console
|
|
||||||
$ sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/my-certificate-bundle.crt
|
|
||||||
$ sudo launchctl kickstart -k system/org.nixos.nix-daemon
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Proxy Environment Variables
|
## Proxy Environment Variables
|
||||||
|
|
|
@ -4,8 +4,6 @@
|
||||||
<dict>
|
<dict>
|
||||||
<key>EnvironmentVariables</key>
|
<key>EnvironmentVariables</key>
|
||||||
<dict>
|
<dict>
|
||||||
<key>NIX_SSL_CERT_FILE</key>
|
|
||||||
<string>/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt</string>
|
|
||||||
<key>OBJC_DISABLE_INITIALIZE_FORK_SAFETY</key>
|
<key>OBJC_DISABLE_INITIALIZE_FORK_SAFETY</key>
|
||||||
<string>YES</string>
|
<string>YES</string>
|
||||||
</dict>
|
</dict>
|
||||||
|
|
|
@ -318,7 +318,7 @@ struct curlFileTransfer : public FileTransfer
|
||||||
|
|
||||||
if (request.verifyTLS) {
|
if (request.verifyTLS) {
|
||||||
if (settings.caFile != "")
|
if (settings.caFile != "")
|
||||||
curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.c_str());
|
curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.get().c_str());
|
||||||
} else {
|
} else {
|
||||||
curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0);
|
curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0);
|
||||||
curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
|
curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
|
||||||
|
|
|
@ -44,14 +44,9 @@ Settings::Settings()
|
||||||
lockCPU = getEnv("NIX_AFFINITY_HACK") == "1";
|
lockCPU = getEnv("NIX_AFFINITY_HACK") == "1";
|
||||||
allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1";
|
allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1";
|
||||||
|
|
||||||
caFile = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
|
auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
|
||||||
if (caFile == "") {
|
if (sslOverride != "")
|
||||||
for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
|
caFile = sslOverride;
|
||||||
if (pathExists(fn)) {
|
|
||||||
caFile = fn;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Backwards compatibility. */
|
/* Backwards compatibility. */
|
||||||
auto s = getEnv("NIX_REMOTE_SYSTEMS");
|
auto s = getEnv("NIX_REMOTE_SYSTEMS");
|
||||||
|
@ -175,6 +170,13 @@ bool Settings::isWSL1()
|
||||||
return hasSuffix(utsbuf.release, "-Microsoft");
|
return hasSuffix(utsbuf.release, "-Microsoft");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Path Settings::getDefaultSSLCertFile()
|
||||||
|
{
|
||||||
|
for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
|
||||||
|
if (pathExists(fn)) return fn;
|
||||||
|
return "";
|
||||||
|
}
|
||||||
|
|
||||||
const std::string nixVersion = PACKAGE_VERSION;
|
const std::string nixVersion = PACKAGE_VERSION;
|
||||||
|
|
||||||
NLOHMANN_JSON_SERIALIZE_ENUM(SandboxMode, {
|
NLOHMANN_JSON_SERIALIZE_ENUM(SandboxMode, {
|
||||||
|
|
|
@ -63,6 +63,8 @@ class Settings : public Config {
|
||||||
|
|
||||||
bool isWSL1();
|
bool isWSL1();
|
||||||
|
|
||||||
|
Path getDefaultSSLCertFile();
|
||||||
|
|
||||||
public:
|
public:
|
||||||
|
|
||||||
Settings();
|
Settings();
|
||||||
|
@ -825,8 +827,22 @@ public:
|
||||||
> `.netrc`.
|
> `.netrc`.
|
||||||
)"};
|
)"};
|
||||||
|
|
||||||
/* Path to the SSL CA file used */
|
Setting<Path> caFile{
|
||||||
Path caFile;
|
this, getDefaultSSLCertFile(), "ssl-cert-file",
|
||||||
|
R"(
|
||||||
|
The path of a file containing CA certificates used to
|
||||||
|
authenticate `https://` downloads. Nix by default will use
|
||||||
|
the first of the following files that exists:
|
||||||
|
|
||||||
|
1. `/etc/ssl/certs/ca-certificates.crt`
|
||||||
|
2. `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
|
||||||
|
|
||||||
|
The path can be overridden by the following environment
|
||||||
|
variables, in order of precedence:
|
||||||
|
|
||||||
|
1. `NIX_SSL_CERT_FILE`
|
||||||
|
2. `SSL_CERT_FILE`
|
||||||
|
)"};
|
||||||
|
|
||||||
#if __linux__
|
#if __linux__
|
||||||
Setting<bool> filterSyscalls{
|
Setting<bool> filterSyscalls{
|
||||||
|
|
Loading…
Reference in a new issue