Merge pull request #805 from yacinehmito/disable-pki

Add security.pki.installCACerts config
LnL7 · Nov 11, 2023 · 0f1ad80 · 0f1ad80
2 parents c8f3857 + 4fa7b5c
commit 0f1ad80
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/modules/security/pki/default.nix b/modules/security/pki/default.nix
@@ -21,6 +21,14 @@ in
 
 {
   options = {
+    security.pki.installCACerts = mkOption {
+      type = types.bool;
+      default = true;
+      description = lib.mdDoc ''
+        Whether to enable certificate management with nix-darwin.
+      '';
+    };
+
     security.pki.certificateFiles = mkOption {
       type = types.listOf types.path;
       default = [];
@@ -71,7 +79,7 @@ in
     };
   };
 
-  config = {
+  config = mkIf cfg.installCACerts {
 
     security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
 

diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix
@@ -63,7 +63,10 @@ in
 
       serviceConfig.EnvironmentVariables = mkMerge [
         config.nix.envVars
-        { NIX_SSL_CERT_FILE = mkDefault config.environment.variables.NIX_SSL_CERT_FILE;
+        {
+          NIX_SSL_CERT_FILE = mkIf
+            (config.environment.variables ? NIX_SSL_CERT_FILE)
+            (mkDefault config.environment.variables.NIX_SSL_CERT_FILE);
           TMPDIR = mkIf (cfg.tempDir != null) cfg.tempDir;
           # FIXME: workaround for https://github.com/NixOS/nix/issues/2523
           OBJC_DISABLE_INITIALIZE_FORK_SAFETY = mkDefault "YES";