Add a setting for configuring the SSL certificates file
This provides a platform-independent way to configure the SSL certificates file in the Nix daemon. Previously we provided instructions for overriding the environment variable in launchd, but that obviously doesn't work with systemd. Now we can just tell users to add ssl-cert-file = /etc/ssl/my-certificate-bundle.crt to their nix.conf.
This commit is contained in:
parent
790dd2555b
commit
e53e5c38d4
|
@ -42,14 +42,11 @@ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
|
||||||
> You must not add the export and then do the install, as the Nix
|
> You must not add the export and then do the install, as the Nix
|
||||||
> installer will detect the presence of Nix configuration, and abort.
|
> installer will detect the presence of Nix configuration, and abort.
|
||||||
|
|
||||||
## `NIX_SSL_CERT_FILE` with macOS and the Nix daemon
|
If you use the Nix daemon, you should also add the following to
|
||||||
|
`/etc/nix/nix.conf`:
|
||||||
|
|
||||||
On macOS you must specify the environment variable for the Nix daemon
|
```
|
||||||
service, then restart it:
|
ssl-cert-file = /etc/ssl/my-certificate-bundle.crt
|
||||||
|
|
||||||
```console
|
|
||||||
$ sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/my-certificate-bundle.crt
|
|
||||||
$ sudo launchctl kickstart -k system/org.nixos.nix-daemon
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Proxy Environment Variables
|
## Proxy Environment Variables
|
||||||
|
|
|
@ -4,8 +4,6 @@
|
||||||
<dict>
|
<dict>
|
||||||
<key>EnvironmentVariables</key>
|
<key>EnvironmentVariables</key>
|
||||||
<dict>
|
<dict>
|
||||||
<key>NIX_SSL_CERT_FILE</key>
|
|
||||||
<string>/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt</string>
|
|
||||||
<key>OBJC_DISABLE_INITIALIZE_FORK_SAFETY</key>
|
<key>OBJC_DISABLE_INITIALIZE_FORK_SAFETY</key>
|
||||||
<string>YES</string>
|
<string>YES</string>
|
||||||
</dict>
|
</dict>
|
||||||
|
|
|
@ -318,7 +318,7 @@ struct curlFileTransfer : public FileTransfer
|
||||||
|
|
||||||
if (request.verifyTLS) {
|
if (request.verifyTLS) {
|
||||||
if (settings.caFile != "")
|
if (settings.caFile != "")
|
||||||
curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.c_str());
|
curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.get().c_str());
|
||||||
} else {
|
} else {
|
||||||
curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0);
|
curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0);
|
||||||
curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
|
curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
|
||||||
|
|
|
@ -44,14 +44,9 @@ Settings::Settings()
|
||||||
lockCPU = getEnv("NIX_AFFINITY_HACK") == "1";
|
lockCPU = getEnv("NIX_AFFINITY_HACK") == "1";
|
||||||
allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1";
|
allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1";
|
||||||
|
|
||||||
caFile = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
|
auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
|
||||||
if (caFile == "") {
|
if (sslOverride != "")
|
||||||
for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
|
caFile = sslOverride;
|
||||||
if (pathExists(fn)) {
|
|
||||||
caFile = fn;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Backwards compatibility. */
|
/* Backwards compatibility. */
|
||||||
auto s = getEnv("NIX_REMOTE_SYSTEMS");
|
auto s = getEnv("NIX_REMOTE_SYSTEMS");
|
||||||
|
@ -187,6 +182,13 @@ bool Settings::isWSL1()
|
||||||
return hasSuffix(utsbuf.release, "-Microsoft");
|
return hasSuffix(utsbuf.release, "-Microsoft");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Path Settings::getDefaultSSLCertFile()
|
||||||
|
{
|
||||||
|
for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
|
||||||
|
if (pathExists(fn)) return fn;
|
||||||
|
return "";
|
||||||
|
}
|
||||||
|
|
||||||
const std::string nixVersion = PACKAGE_VERSION;
|
const std::string nixVersion = PACKAGE_VERSION;
|
||||||
|
|
||||||
NLOHMANN_JSON_SERIALIZE_ENUM(SandboxMode, {
|
NLOHMANN_JSON_SERIALIZE_ENUM(SandboxMode, {
|
||||||
|
|
|
@ -64,6 +64,8 @@ class Settings : public Config {
|
||||||
|
|
||||||
bool isWSL1();
|
bool isWSL1();
|
||||||
|
|
||||||
|
Path getDefaultSSLCertFile();
|
||||||
|
|
||||||
public:
|
public:
|
||||||
|
|
||||||
Settings();
|
Settings();
|
||||||
|
@ -826,8 +828,17 @@ public:
|
||||||
> `.netrc`.
|
> `.netrc`.
|
||||||
)"};
|
)"};
|
||||||
|
|
||||||
/* Path to the SSL CA file used */
|
Setting<Path> caFile{
|
||||||
Path caFile;
|
this, getDefaultSSLCertFile(), "ssl-cert-file",
|
||||||
|
R"(
|
||||||
|
The path of a file containing CA certificates used to
|
||||||
|
authenticate `https://` downloads. It defaults to the first
|
||||||
|
of `/etc/ssl/certs/ca-certificates.crt` and
|
||||||
|
`/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
|
||||||
|
that exists. It can be overriden using the
|
||||||
|
`NIX_SSL_CERT_FILE` and `SSL_CERT_FILE` environment variable
|
||||||
|
(in that order of precedence).
|
||||||
|
)"};
|
||||||
|
|
||||||
#if __linux__
|
#if __linux__
|
||||||
Setting<bool> filterSyscalls{
|
Setting<bool> filterSyscalls{
|
||||||
|
|
Loading…
Reference in a new issue