nixos/qemu-vm: use CA certificates from host

2023-06-07 12:41:59 +10:00 · 2023-06-07 12:41:59 +10:00 · 98d970bc37
parent 285f5e858e
commit 98d970bc37
3 changed files with 36 additions and 2 deletions
--- a/nixos/modules/profiles/macos-builder.nix
+++ b/nixos/modules/profiles/macos-builder.nix
@ -234,6 +234,10 @@ in
      # This ensures that anything built on the guest isn't lost when the guest is
      # restarted.
      writableStoreUseTmpfs = false;
+
+      # Pass certificates from host to the guest otherwise when custom CA certificates
+      # are required we can't use the cached builder.
+      useHostCerts = true;
    };
  };
 }
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@ -18,6 +18,10 @@ in
 {

  options = {
+    security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // {
+      default = true;
+      internal = true;
+    };

    security.pki.certificateFiles = mkOption {
      type = types.listOf types.path;
@ -70,7 +74,7 @@ in

  };

-  config = {
+  config = mkIf cfg.installCACerts {

    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
--- a/nixos/modules/virtualisation/qemu-vm.nix
+++ b/nixos/modules/virtualisation/qemu-vm.nix
@ -166,6 +166,16 @@ let
      # Create a directory for exchanging data with the VM.
      mkdir -p "$TMPDIR/xchg"

+      ${lib.optionalString cfg.useHostCerts
+      ''
+        mkdir -p "$TMPDIR/certs"
+        if [ -e "$NIX_SSL_CERT_FILE" ]; then
+          cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt
+        else
+          echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled.
+        fi
+      ''}
+
      ${lib.optionalString cfg.useEFIBoot
      ''
        # Expose EFI variables, it's useful even when we are not using a bootloader (!).
@ -877,7 +887,6 @@ in
          '';
      };

-
    virtualisation.bios =
      mkOption {
        type = types.nullOr types.package;
@ -890,6 +899,17 @@ in
          '';
      };

+    virtualisation.useHostCerts =
+      mkOption {
+        type = types.bool;
+        default = false;
+        description =
+          lib.mdDoc ''
+            If enabled, when `NIX_SSL_CERT_FILE` is set on the host,
+            pass the CA certificates from the host to the VM.
+          '';
+      };
+
  };

  config = {
@ -1024,8 +1044,14 @@ in
        source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"'';
        target = "/tmp/shared";
      };
+      certs = mkIf cfg.useHostCerts {
+        source = ''"$TMPDIR"/certs'';
+        target = "/etc/ssl/certs";
+      };
    };

+    security.pki.installCACerts = mkIf cfg.useHostCerts false;
+
    virtualisation.qemu.networkingOptions =
      let
        forwardingOptions = flip concatMapStrings cfg.forwardPorts