tv pki: generate global nssdb

This commit is contained in:
tv 2019-04-23 19:57:23 +02:00
parent 46172b7f01
commit c195713bc2

View file

@ -1,10 +1,58 @@
with import <stockholm/lib>;
{ config, ... }: let
{ config, pkgs, ... }: let
certFile = config.environment.etc."ssl/certs/ca-certificates.crt".source;
in {
environment.etc."pki/nssdb".source =
pkgs.runCommand "system-wide-nssdb" {
inherit certFile;
buildInputs = [
pkgs.jq
pkgs.nssTools
];
parseInfoScript = /* jq */ ''
${toJSON certFile} as $certFile |
split("\t-----END CERTIFICATE-----\n")[] |
select(test("\t-----BEGIN CERTIFICATE-----\n")) |
. + "\t-----END CERTIFICATE-----\n" |
sub("^([0-9]+\t\n)*";"") |
(match("^([0-9]+)\t").captures[0].string | tonumber) as $lineNumber |
gsub("(?m)^[0-9]+\t";"") |
match("^([^\n]+)\n(.*)";"m").captures | map(.string) |
# Line numbers are added to the names to ensure uniqueness.
"\(.[0]) (\($certFile):\($lineNumber))" as $name |
.[1] as $cert |
{ $name, $cert }
'';
passAsFile = [
"parseInfoScript"
];
} /* sh */ ''
mkdir nssdb
nl -ba -w1 "$certFile" |
jq -ceRs -f "$parseInfoScriptPath" > certinfo.ndjson
exec < certinfo.ndjson
while read -r certinfo; do
name=$(printf %s "$certinfo" | jq -er .name)
cert=$(printf %s "$certinfo" | jq -er .cert)
printf %s "$cert" | certutil -A -d nssdb -n "$name" -t C,C,C
done
mv nssdb "$out"
'';
environment.variables = flip genAttrs (_: toString certFile) [
"CURL_CA_BUNDLE"
"GIT_SSL_CAINFO"