movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

nixos/qemu-vm: use CA certificates from host

Browse source
This commit is contained in:
Michael Hoang 2023-06-07 12:41:59 +10:00
parent 285f5e858e
commit 98d970bc37
3 changed files with 36 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
nixos/modules/profiles/macos-builder.nix
View file

@ -234,6 +234,10 @@ in
# This ensures that anything built on the guest isn't lost when the guest is # This ensures that anything built on the guest isn't lost when the guest is
# restarted. # restarted.
writableStoreUseTmpfs = false; writableStoreUseTmpfs = false;
# Pass certificates from host to the guest otherwise when custom CA certificates
# are required we can't use the cached builder.
useHostCerts = true;
}; };
}; };
} }

6
nixos/modules/security/ca.nix
View file

@ -18,6 +18,10 @@ in
{ {
options = { options = {
security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // {
default = true;
internal = true;
};
security.pki.certificateFiles = mkOption { security.pki.certificateFiles = mkOption {
type = types.listOf types.path; type = types.listOf types.path;
@ -70,7 +74,7 @@ in
}; };
config = { config = mkIf cfg.installCACerts {
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;

28
nixos/modules/virtualisation/qemu-vm.nix
View file

@ -166,6 +166,16 @@ let
# Create a directory for exchanging data with the VM. # Create a directory for exchanging data with the VM.
mkdir -p "$TMPDIR/xchg" mkdir -p "$TMPDIR/xchg"
${lib.optionalString cfg.useHostCerts
''
mkdir -p "$TMPDIR/certs"
if [ -e "$NIX_SSL_CERT_FILE" ]; then
cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt
else
echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled.
fi
''}
${lib.optionalString cfg.useEFIBoot ${lib.optionalString cfg.useEFIBoot
'' ''
# Expose EFI variables, it's useful even when we are not using a bootloader (!). # Expose EFI variables, it's useful even when we are not using a bootloader (!).
@ -877,7 +887,6 @@ in
''; '';
}; };
virtualisation.bios = virtualisation.bios =
mkOption { mkOption {
type = types.nullOr types.package; type = types.nullOr types.package;
@ -890,6 +899,17 @@ in
''; '';
}; };
virtualisation.useHostCerts =
mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc ''
If enabled, when `NIX_SSL_CERT_FILE` is set on the host,
pass the CA certificates from the host to the VM.
'';
};
}; };
config = { config = {
@ -1024,8 +1044,14 @@ in
source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"''; source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"'';
target = "/tmp/shared"; target = "/tmp/shared";
}; };
certs = mkIf cfg.useHostCerts {
source = ''"$TMPDIR"/certs'';
target = "/etc/ssl/certs";
};
}; };
security.pki.installCACerts = mkIf cfg.useHostCerts false;
virtualisation.qemu.networkingOptions = virtualisation.qemu.networkingOptions =
let let
forwardingOptions = flip concatMapStrings cfg.forwardPorts forwardingOptions = flip concatMapStrings cfg.forwardPorts