I have some git repos hosted via cgit in LAN and use a self-signed certificate for https. I want to add a local git repo in flake inputs in NixOS configuration.
However, adding it directly will cause the error OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme
as the certificate is not trusted. I know git supports setting GIT_SSL_CAINFO
for root CA but is there a way to do it in a flake?
Thanks
did you try to add to your system configuration
security.pki.certificates = [
''-----BEGIN CERTIFICATE-----
... your cert etc.
-----END CERTIFICATE-----''
];
this will add your self cert to be trusted if I recall correctly, I switched to let’s encrypt so I’ve not done this in a bit.
I didn’t do that because I don’t want to trust the cert globally in my system for security reason. I only want to trust it when I am cloning the repo.
My repo is hosted locally without a public domain. So let’s encrypt is not an option for me either.
You could specify the custom CA in ssl-cert-file.
Bit of a tangent, but you can issue wildcard certificates through let’s encrypt if you don’t want the domain to be visible in issuance logs. My domain has a subdomain (srv.domain.tld) for which I am using a wildcard cert. All services are using domain names like git.srv.domain.tld.
The ssh-cert-file
seems to overwrite the default certificate which makes it unable to download from other sources with https. Besides, it is difficult to set it up as /etc/nix/nix.conf
is managed by NixOS configurations and it couldn’t be set up when deploying it on a new machine.
The file is meant to store a CA cert bundle, so you can append yours to the existing ones.
For deployment scenario you can use an env var or a nix command switch.
It seems that I need to copy the system CA cert bundle first, append my own cert and store it, especially when I need to use an env var or nix command switch as I can’t specify a nix store path with the cert.
Then it causes another problem where I need to keep it up to date as the system cert may get updated.
Rolling one’s own CA comes at a TCO price pretty much by definition. Still easier than becoming a public CA
I used to do it (way before the days of Lets Encrypt having the wildcards) but now that there’s an easy button out there - I wouldn’t do it again except for learning experience.
If you want to make the bundle dynamic, you can write a tiny derivation that produces a cert bundle with your certificate appended to it and use it during the initial install.
1 Like
Yeah, you are right. I don’t own any public domain names so it doesn’t make much sense to buy one just for internal use (also it is usually longer than private domain name). Probably I should just go with plain HTTP instead HTTPS as it’s hard to do it using flake.
I can write a derivation to bundle it, but how can I do it during the initial install of another machine before I can build the system derivation? My whole NixOS configuration will depend on the certificate which is a cyclic dependency
Multiple options: out of band file copy, build a custom installer.
If we backtrack the question though, there are more alternatives:
- not using http(s) for inputs at all, there are alternatives
- not having the target machine pull anything. Deploy using remote nixos-rebuild with
--target-host
or something like deploy-rs
1 Like
I see. Thanks for the above suggestions.
Looks like there’s really no easy and straightforward way to trust a self-signed certificate for flake inputs currently. There are alternative ways, but all have their own problems.