Add a setting for configuring the SSL certificates file

This provides a platform-independent way to configure the SSL certificates file in the Nix daemon. Previously we provided instructions for overriding the environment variable in launchd, but that obviously doesn't work with systemd. Now we can just tell users to add ssl-cert-file = /etc/ssl/my-certificate-bundle.crt to their nix.conf.
author: Eelco Dolstra <edolstra@gmail.com> 2023-03-17 18:32:18 +0100
committer: Eelco Dolstra <edolstra@gmail.com> 2023-03-17 18:32:18 +0100
commit: e53e5c38d4a6f89dbb7e33448977a95e5b4ab2eb (patch)
tree: 39caf9b531a06954b56ad46b9f29e70905e6d5fa
parent: 790dd2555b8a324035af8b03aad582a25f7a0ecd (diff)
5 files changed, 28 insertions, 20 deletions
diff --git a/doc/manual/src/installation/env-variables.md b/doc/manual/src/installation/env-variables.md
index fb8155a80..db98f52ff 100644
--- a/doc/manual/src/installation/env-variables.md
+++ b/doc/manual/src/installation/env-variables.md
@@ -42,14 +42,11 @@ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
 > You must not add the export and then do the install, as the Nix
 > installer will detect the presence of Nix configuration, and abort.
 
-## `NIX_SSL_CERT_FILE` with macOS and the Nix daemon
+If you use the Nix daemon, you should also add the following to
+`/etc/nix/nix.conf`:
 
-On macOS you must specify the environment variable for the Nix daemon
-service, then restart it:
-
-```console
-$ sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/my-certificate-bundle.crt
-$ sudo launchctl kickstart -k system/org.nixos.nix-daemon
+```
+ssl-cert-file = /etc/ssl/my-certificate-bundle.crt
 ```
 
 ## Proxy Environment Variables
diff --git a/misc/launchd/org.nixos.nix-daemon.plist.in b/misc/launchd/org.nixos.nix-daemon.plist.in
index 5fa489b20..e1470cf99 100644
--- a/misc/launchd/org.nixos.nix-daemon.plist.in
+++ b/misc/launchd/org.nixos.nix-daemon.plist.in
@@ -4,8 +4,6 @@
   <dict>
     <key>EnvironmentVariables</key>
     <dict>
-      <key>NIX_SSL_CERT_FILE</key>
-      <string>/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt</string>
       <key>OBJC_DISABLE_INITIALIZE_FORK_SAFETY</key>
       <string>YES</string>
     </dict>
diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc
index b5fe7c03b..1ba399a29 100644
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@@ -318,7 +318,7 @@ struct curlFileTransfer : public FileTransfer
 
             if (request.verifyTLS) {
                 if (settings.caFile != "")
-                    curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.c_str());
+                    curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.get().c_str());
             } else {
                 curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0);
                 curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index fae79c1a0..7be5c89b7 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -44,14 +44,9 @@ Settings::Settings()
     lockCPU = getEnv("NIX_AFFINITY_HACK") == "1";
     allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1";
 
-    caFile = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
-    if (caFile == "") {
-        for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
-            if (pathExists(fn)) {
-                caFile = fn;
-                break;
-            }
-    }
+    auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
+    if (sslOverride != "")
+        caFile = sslOverride;
 
     /* Backwards compatibility. */
     auto s = getEnv("NIX_REMOTE_SYSTEMS");
@@ -187,6 +182,13 @@ bool Settings::isWSL1()
     return hasSuffix(utsbuf.release, "-Microsoft");
 }
 
+Path Settings::getDefaultSSLCertFile()
+{
+    for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
+        if (pathExists(fn)) return fn;
+    return "";
+}
+
 const std::string nixVersion = PACKAGE_VERSION;
 
 NLOHMANN_JSON_SERIALIZE_ENUM(SandboxMode, {
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 93086eaf8..95f6b5e35 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -64,6 +64,8 @@ class Settings : public Config {
 
     bool isWSL1();
 
+    Path getDefaultSSLCertFile();
+
 public:
 
     Settings();
@@ -826,8 +828,17 @@ public:
           > `.netrc`.
         )"};
 
-    /* Path to the SSL CA file used */
-    Path caFile;
+    Setting<Path> caFile{
+        this, getDefaultSSLCertFile(), "ssl-cert-file",
+        R"(
+          The path of a file containing CA certificates used to
+          authenticate `https://` downloads. It defaults to the first
+          of `/etc/ssl/certs/ca-certificates.crt` and
+          `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
+          that exists. It can be overriden using the
+          `NIX_SSL_CERT_FILE` and `SSL_CERT_FILE` environment variable
+          (in that order of precedence).
+        )"};
 
 #if __linux__
     Setting<bool> filterSyscalls{
author	Eelco Dolstra <edolstra@gmail.com>	2023-03-17 18:32:18 +0100
committer	Eelco Dolstra <edolstra@gmail.com>	2023-03-17 18:32:18 +0100
commit	e53e5c38d4a6f89dbb7e33448977a95e5b4ab2eb (patch)
tree	39caf9b531a06954b56ad46b9f29e70905e6d5fa
parent	790dd2555b8a324035af8b03aad582a25f7a0ecd (diff)