system: Add 'x509-certificates' field, and populate /etc/ssl/certs.

* gnu/system.scm (<operating-system>)[x509-certificates]: New field. (etc-directory): Add #:x509-certificates parameter and honor it. (operating-system-etc-directory): Pass #:x509-certificates in 'etc-directory' call. * doc/guix.texi (operating-system Reference): Document 'x509-certificates'.

system: Add 'x509-certificates' field, and populate /etc/ssl/certs.
e979e6dd · Ludovic Courtès · d6d9f1f7 · e979e6dd · e979e6dd
Commit e979e6dd authored 10 years ago by Ludovic Courtès
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -3882,6 +3882,19 @@ Configuration of libc's name service switch (NSS)---a
 @code{<name-service-switch>} object.  @xref{Name Service Switch}, for
 details.

+@item @code{x509-certificates} (default: @var{nss-certs})
+This field's value must be a package containing X.509 certificates for
+so-called ``Certification Authorities'' (CAs) that is made available in
+the @file{/etc/ssl/certs} directory.  Currently this directory is
+accessed by applications using either the GnuTLS library or the OpenSSL
+library.
+
+By default, certificates from
+@uref{https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS,
+Mozilla's Network Security Services} are used.  These are the
+certificates shipped by Mozilla browsers and derivatives such as
+GNU@tie{}IceCat.
+
 @item @code{services} (default: @var{%base-services})
 A list of monadic values denoting system services.  @xref{Services}.


--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -42,6 +42,7 @@ (define-module (gnu system)
  #:use-module (gnu packages compression)
  #:use-module (gnu packages firmware)
  #:autoload   (gnu packages cryptsetup) (cryptsetup)
+  #:use-module (gnu packages certs)
  #:use-module (gnu services)
  #:use-module (gnu services dmd)
  #:use-module (gnu services base)
@@ -77,6 +78,7 @@ (define-module (gnu system)
            operating-system-locale-definitions
            operating-system-mapped-devices
            operating-system-file-systems
+            operating-system-x509-certificates
            operating-system-activation-script

            operating-system-derivation
@@ -140,6 +142,8 @@ (define-record-type* <operating-system> operating-system
                      (default %default-locale-definitions))
  (name-service-switch operating-system-name-service-switch ; <name-service-switch>
                       (default %default-nss))
+  (x509-certificates operating-system-x509-certificates     ; package
+                     (default nss-certs))

  (services operating-system-user-services        ; list of monadic services
            (default %base-services))
@@ -412,6 +416,7 @@ (define* (etc-directory #:key
                        (pam-services '())
                        (profile "/run/current-system/profile")
                        hosts-file nss
+                        x509-certificates
                        (sudoers ""))
  "Return a derivation that builds the static part of the /etc directory."
  (mlet* %store-monad
@@ -461,6 +466,8 @@ (define* (etc-directory #:key
                `(("services" ,#~(string-append #$net-base "/etc/services"))
                  ("protocols" ,#~(string-append #$net-base "/etc/protocols"))
                  ("rpc" ,#~(string-append #$net-base "/etc/rpc"))
+                  ("ssl" ,#~(string-append #$x509-certificates
+                                           "/etc/ssl")) ;for OpenSSL & co.
                  ("emacs" ,#~#$emacs)
                  ("pam.d" ,#~#$pam.d)
                  ("login.defs" ,#~#$login.defs)
@@ -523,6 +530,7 @@ (define (operating-system-etc-directory os)
                  #:timezone (operating-system-timezone os)
                  #:hosts-file /etc/hosts
                  #:sudoers (operating-system-sudoers os)
+                  #:x509-certificates (operating-system-x509-certificates os)
                  #:profile profile-drv)))

 (define %setuid-programs