[Nix-dev] How to add (self-signed) SSL certificate to NixOS?
Bjørn Forsman
bjorn.forsman at gmail.com
Wed Feb 4 10:26:07 CET 2015
On 2 February 2015 at 21:06, Bjørn Forsman <bjorn.forsman at gmail.com> wrote:
> On 2 February 2015 at 17:43, Eelco Dolstra <eelco.dolstra at logicblox.com> wrote:
>> A better way (not tested):
>>
>> environment.etc."ssl/certs/ca-bundle.crt".source =
>> pkgs.runCommand "my-ca-bundle.crt" { }
>> ''
>> cat ${pkgs.cacert}/etc/ca-bundle.crt ${./my-certificate.crt} > $out
>> '';
>
> That works! Thank you.
Apparently, that was only half the problem. I also need to _override_
this entry, because the ca.nix module already provides
environment.etc."ssl/certs/ca-bundle.crt". My attempts so far have
failed:
(1) Plain setting. Causes "mismatched duplicate entry
/nix/store/HASH1-my-ca-bundle.crt <->
/nix/store/HASH2-cacert-2014-0715/etc/ca-bundle.crt":
environment.etc."ssl/certs/ca-bundle.crt".source = ...
(2) "Inner mkForce". Also causes "mismatched duplicate entry ...":
environment.etc."ssl/certs/ca-bundle.crt" = lib.mkForce { source = ...; };
(3) "Full mkForce". This blows away all other environment.etc.* attrs,
making the system unable to boot:
environment.etc = lib.mkForce {
"ssl/certs/ca-bundle.crt" = ...
};
(4) Merge/override config attribute. Causes infinite recursion:
environment.etc = config.environment.etc // {
"ssl/certs/ca-bundle.crt".source = ...;
};
Any ideas?
Best regards,
Bjørn Forsman
More information about the nix-dev
mailing list