NixOs in corporate

Krahos · August 2, 2024, 12:48pm

Hello everyone, I’m trying to use NixOS in my personal setup and I’m encountering a few issues.
Our setup is the following:

Windows machine with WSL (Ubuntu)
We use a proxy
Zscaler for security (or whatever it does, really)
Artifactory to cache binaries (binaries we download with apt for example), containers and similar stuff

Now, I manged to install NixOS inside WSL, I’ve setup the proxy by translating a bash script we use to configue Ubuntu, added the zscaler root certificate to the nix configuration.

However if I try to sudo nix-channel --update I get “SSL peer certificate or SSH remote key was not OK”. If I do curl -v https://duckduckgo.com I get “curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme”. So I guess I did something wrong while setting the certificate.

This is my configuration currently:

{ config, lib, pkgs, ... }:

{
  imports = [
    # include NixOS-WSL modules
    <nixos-wsl/modules>
  ];

  # Copied these urls from the Ubuntu configuration.
  networking.proxy.default = "{proxy_url}";
  networking.proxy.noProxy = "{some_other_urls}";

  wsl.enable = true;
  wsl.defaultUser = "nixos";

  security.pki.certificates = [
    ''
      -----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIJANu+mC2Jt3uTMA0GCSqGSIb3DQEBCwUAMIGhMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
FTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMMWnNjYWxlciBJbmMuMRgw
FgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRA
enNjYWxlci5jb20wHhcNMTQxMjE5MDAyNzU1WhcNNDIwNTA2MDAyNzU1WjCBoTEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBK
b3NlMRUwEwYDVQQKEwxac2NhbGVyIEluYy4xFTATBgNVBAsTDFpzY2FsZXIgSW5j
LjEYMBYGA1UEAxMPWnNjYWxlciBSb290IENBMSIwIAYJKoZIhvcNAQkBFhNzdXBw
b3J0QHpzY2FsZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qT7STSxZRTgEFFf6doHajSc1vk5jmzmM6BWuOo044EsaTc9eVEV/HjH/1DWzZtcr
fTj+ni205apMTlKBW3UYR+lyLHQ9FoZiDXYXK8poKSV5+Tm0Vls/5Kb8mkhVVqv7
LgYEmvEY7HPY+i1nEGZCa46ZXCOohJ0mBEtB9JVlpDIO+nN0hUMAYYdZ1KZWCMNf
5J/aTZiShsorN2A38iSOhdd+mcRM4iNL3gsLu99XhKnRqKoHeH83lVdfu1XBeoQz
z5V6gA3kbRvhDwoIlTBeMa5l4yRdJAfdpkbFzqiwSgNdhbxTHnYYorDzKfr2rEFM
dsMU0DHdeAZf711+1CunuQIDAQABo4IBCjCCAQYwHQYDVR0OBBYEFLm33UrNww4M
hp1d3+wcBGnFTpjfMIHWBgNVHSMEgc4wgcuAFLm33UrNww4Mhp1d3+wcBGnFTpjf
oYGnpIGkMIGhMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMM
WnNjYWxlciBJbmMuMRgwFgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG
9w0BCQEWE3N1cHBvcnRAenNjYWxlci5jb22CCQDbvpgtibd7kzAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAw0NdJh8w3NsJu4KHuVZUrmZgIohnTm0j+
RTmYQ9IKA/pvxAcA6K1i/LO+Bt+tCX+C0yxqB8qzuo+4vAzoY5JEBhyhBhf1uK+P
/WVWFZN/+hTgpSbZgzUEnWQG2gOVd24msex+0Sr7hyr9vn6OueH+jj+vCMiAm5+u
kd7lLvJsBu3AO3jGWVLyPkS3i6Gf+rwAp1OsRrv3WnbkYcFf9xjuaf4z0hRCrLN2
xFNjavxrHmsH8jPHVvgc1VD0Opja0l/BRVauTrUaoW6tE+wFG5rEcPGS80jjHK4S
pB5iDj2mUZH1T8lzYtuZy0ZPirxmtsk3135+CKNa2OCAhhFjE0xd
      -----END CERTIFICATE-----
    ''
  ];
 system.stateVersion = "24.05"; 
}

What am I missing?
BTW I tried to look at other similar questions and their solutions but still wasn’t able to solve it.

mightyiam · August 3, 2024, 6:25am

I lost you at

and then

Is it Ubuntu or NixOS? Granted, I don’t have much experience with WSL, but this detail intrigues me.

Krahos · August 3, 2024, 9:05am

Sorry for being imprecise. WSL works roughly like a virtual machine, I don’t know much of it either, but you can install multiple instances. I mentioned the one we use with Ubuntu because we have a bash script to set some things up, like the proxy and the zscaler certificate, which I need to replicate in the NixOs one.

mightyiam · August 3, 2024, 1:23pm

Does WSL explicitly have NixOS support, or is it “generic linux” support that you’re using?

Krahos · August 5, 2024, 1:30pm

I think it generically supports Linux, specifically, I’m using this community maintained repo.

danielbarter · August 5, 2024, 2:00pm

@mightyiam: nixos works totally fine in WSL. You can run whatever distro you want with it.

@Krahos: the most likely issue here is that your network configuration is incompatible with what the corp network is expecting. We probably can’t help you more without significantly more info about the services running on your corp network, which you should not be sharing over the public internet.

If your IT staff have good Linux skills, they will be able to help you figure it out. If not, you should probably just stick with Ubuntu or Debian + nix

stevelot · September 7, 2024, 9:45am

I am having the same problem here.
During installation of nixos on a corporate machine in Hyper-V (similar to wsl) the NixOS Installer shows an error: “The system is not connected to the Internet.”
When I open Firefox and go to https://nixos.org it shows an ssl error, our corporate firewall does some kind of man-in-the-middle check, but this certificate is not installed. (youtube.com works because it is exluced)
When opening a terminal window curl also does not work for https://nixos.org, so I exported some .pem certificates from firefox and imported them in openssl (I think because I have verry little Linux experience)
Then I executed these 2 commands in the terminal window:

export SSL_CERT_FILE=/home/nixos/Downloads/nixos-org-chain.pem
export NIX_SSL_CERT_FILE=/home/nixos/Downloads/nixos-org-chain.pem

and now curl https://www.nixos.org worked.

This means I 'm getting closer, but the installer still does not use the new certificates

klinger · September 7, 2024, 12:19pm

You may have to set the proxy too? We all should document how to make it work in corporate environments at Enterprise - NixOS Wiki

stevelot · September 15, 2024, 9:57pm

My company uses an F5 firewall and we don’t have to set the proxy because ALL internet traffic is intercepted. (except for youtube and ms office/teams)
Anyway I installed nixos by using my phone as a hotspot over wifi, lame but it worked.

Because, after the installation, updating the configuration.nix with sudo nixos-rebuild switch did not work. The certificates were not active yet so I edited the configuration.nix file and added the certificates:

  # security.pki.certificateFiles = [ "/etc/nixos/nixos-org-chain.pem" ]; --> this might just work as well if you put the Firefox downloaded certificates here, otherwise just paste them like this:
  security.pki.certificates = [ ''
*.nixos.org:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Company Firewall:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Company Issuing CA:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Company Root CA:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
    ''
  ];

and then activated the new configuration with:
sudo HOME=/root NIX_SSL_CERT_FILE=/etc/nixos/nixos-org-chain.pem nixos-rebuild switch
( more info about this “special” switch command: https://github.com/NixOS/nixpkgs/issues/70939 )

After this I could edit the configuration.nix file and just switch with the normal sudo nixos-rebuild switch command.
Maybe these steps could be useful for someone in the future, although it would be more useful to be able to start the calamares nixos installer with the extra arguments, ex:
sudo HOME=/root NIX_SSL_CERT_FILE=/etc/nixos/nixos-org-chain.pem start-nixos-installer...