nixos/qemu-vm: use CA certificates from host

pyrox.dev / nixpkgs

fork atom

lol

fork atom

Michael Hoang 2 years ago 98d970bc 285f5e85

+36 -2

3 changed files

expand all

nixos

modules

profiles

macos-builder.nix

security

ca.nix

virtualisation

qemu-vm.nix

nixos/modules/profiles/macos-builder.nix

··· 234 234 # This ensures that anything built on the guest isn't lost when the guest is 235 235 # restarted. 236 236 writableStoreUseTmpfs = false; 237 + 238 + # Pass certificates from host to the guest otherwise when custom CA certificates 239 + # are required we can't use the cached builder. 240 + useHostCerts = true; 237 241 }; 238 242 }; 239 243 }

+5 -1

nixos/modules/security/ca.nix

··· 18 18 { 19 19 20 20 options = { 21 + security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // { 22 + default = true; 23 + internal = true; 24 + }; 21 25 22 26 security.pki.certificateFiles = mkOption { 23 27 type = types.listOf types.path; ··· 70 74 71 75 }; 72 76 73 - config = { 77 + config = mkIf cfg.installCACerts { 74 78 75 79 # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. 76 80 environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;

+27 -1

nixos/modules/virtualisation/qemu-vm.nix

··· 166 166 # Create a directory for exchanging data with the VM. 167 167 mkdir -p "$TMPDIR/xchg" 168 168 169 + ${lib.optionalString cfg.useHostCerts 170 + '' 171 + mkdir -p "$TMPDIR/certs" 172 + if [ -e "$NIX_SSL_CERT_FILE" ]; then 173 + cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt 174 + else 175 + echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled. 176 + fi 177 + ''} 178 + 169 179 ${lib.optionalString cfg.useEFIBoot 170 180 '' 171 181 # Expose EFI variables, it's useful even when we are not using a bootloader (!). ··· 877 887 ''; 878 888 }; 879 889 880 - 881 890 virtualisation.bios = 882 891 mkOption { 883 892 type = types.nullOr types.package; ··· 887 896 An alternate BIOS (such as `qboot`) with which to start the VM. 888 897 Should contain a file named `bios.bin`. 889 898 If `null`, QEMU's builtin SeaBIOS will be used. 899 + ''; 900 + }; 901 + 902 + virtualisation.useHostCerts = 903 + mkOption { 904 + type = types.bool; 905 + default = false; 906 + description = 907 + lib.mdDoc '' 908 + If enabled, when `NIX_SSL_CERT_FILE` is set on the host, 909 + pass the CA certificates from the host to the VM. 890 910 ''; 891 911 }; 892 912 ··· 1024 1044 source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"''; 1025 1045 target = "/tmp/shared"; 1026 1046 }; 1047 + certs = mkIf cfg.useHostCerts { 1048 + source = ''"$TMPDIR"/certs''; 1049 + target = "/etc/ssl/certs"; 1050 + }; 1027 1051 }; 1052 + 1053 + security.pki.installCACerts = mkIf cfg.useHostCerts false; 1028 1054 1029 1055 virtualisation.qemu.networkingOptions = 1030 1056 let