[Nix-dev] How to add (self-signed) SSL certificate to NixOS?
Nicolas Pierron
nicolas.b.pierron at gmail.com
Wed Feb 4 21:56:48 CET 2015
On Wed, Feb 4, 2015 at 10:26 AM, Bjørn Forsman <bjorn.forsman at gmail.com> wrote:
> On 2 February 2015 at 21:06, Bjørn Forsman <bjorn.forsman at gmail.com> wrote:
>> On 2 February 2015 at 17:43, Eelco Dolstra <eelco.dolstra at logicblox.com> wrote:
>>> A better way (not tested):
>>>
>>> environment.etc."ssl/certs/ca-bundle.crt".source =
>>> pkgs.runCommand "my-ca-bundle.crt" { }
>>> ''
>>> cat ${pkgs.cacert}/etc/ca-bundle.crt ${./my-certificate.crt} > $out
>>> '';
>>
>> That works! Thank you.
>
> Apparently, that was only half the problem. I also need to _override_
> this entry, because the ca.nix module already provides
> environment.etc."ssl/certs/ca-bundle.crt". My attempts so far have
> failed:
>
> (1) Plain setting. Causes "mismatched duplicate entry
> /nix/store/HASH1-my-ca-bundle.crt <->
> /nix/store/HASH2-cacert-2014-0715/etc/ca-bundle.crt":
>
> environment.etc."ssl/certs/ca-bundle.crt".source = ...
>
> (2) "Inner mkForce". Also causes "mismatched duplicate entry ...":
>
> environment.etc."ssl/certs/ca-bundle.crt" = lib.mkForce { source = ...; };
The following should work:
environment.etc."ssl/certs/ca-bundle.crt".source = lib.mkForce ...;
?
> (3) "Full mkForce". This blows away all other environment.etc.* attrs,
> making the system unable to boot:
>
> environment.etc = lib.mkForce {
> "ssl/certs/ca-bundle.crt" = ...
> };
>
> (4) Merge/override config attribute. Causes infinite recursion:
>
> environment.etc = config.environment.etc // {
> "ssl/certs/ca-bundle.crt".source = ...;
> };
--
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/
More information about the nix-dev
mailing list