qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

treewide: support NIX_SSL_CERT_FILE as an impureEnvVar

Browse Source 
This envvar is also added to lib.proxyImpureEnvVars since it's
typically required for https proxies.

This change also updates fetchgit and go module fetching to use this
envvar. NIX_GIT_SSL_CAINFO is still supported for backwards
compatibility in fetchgit.
This commit is contained in:
Tim Cuthbertson 2023-11-28 22:15:40 +11:00
parent c455cc3170
commit 911aa1440f
5 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/fetchers.nix
View File

@ -9,6 +9,9 @@
# by definition pure. # by definition pure.
"http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy" "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy"
"HTTP_PROXY" "HTTPS_PROXY" "FTP_PROXY" "ALL_PROXY" "NO_PROXY" "HTTP_PROXY" "HTTPS_PROXY" "FTP_PROXY" "ALL_PROXY" "NO_PROXY"
# https proxies typically need to inject custom root CAs too
"NIX_SSL_CERT_FILE"
]; ];
} }

4
pkgs/build-support/fetchgit/default.nix
View File

@ -67,7 +67,7 @@ stdenvNoCC.mkDerivation {
builder = ./builder.sh; builder = ./builder.sh;
fetcher = ./nix-prefetch-git; fetcher = ./nix-prefetch-git;
nativeBuildInputs = [ git ] nativeBuildInputs = [ git cacert ]
++ lib.optionals fetchLFS [ git-lfs ]; ++ lib.optionals fetchLFS [ git-lfs ];
outputHashAlgo = if hash != "" then null else "sha256"; outputHashAlgo = if hash != "" then null else "sha256";
@ -94,8 +94,6 @@ stdenvNoCC.mkDerivation {
export HOME=$PWD export HOME=$PWD
''; '';
GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ netrcImpureEnvVars ++ [ impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ netrcImpureEnvVars ++ [
"GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER" "GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER"
]; ];

6
pkgs/build-support/fetchgit/nix-prefetch-git
View File

@ -17,9 +17,9 @@ branchName=$NIX_PREFETCH_GIT_BRANCH_NAME
out=${out:-} out=${out:-}
http_proxy=${http_proxy:-} http_proxy=${http_proxy:-}
# allow overwriting cacert's ca-bundle.crt with a custom one # NOTE: use of NIX_GIT_SSL_CAINFO is for backwards compatibility; NIX_SSL_CERT_FILE is preferred
# this can be done by setting NIX_GIT_SSL_CAINFO and NIX_SSL_CERT_FILE environment variables for the nix-daemon # as of PR#303307
GIT_SSL_CAINFO=${NIX_GIT_SSL_CAINFO:-$GIT_SSL_CAINFO} GIT_SSL_CAINFO=${NIX_GIT_SSL_CAINFO:-$NIX_SSL_CERT_FILE}
# populated by clone_user_rev() # populated by clone_user_rev()
fullRev= fullRev=

1
pkgs/build-support/go/module.nix
View File

@ -136,6 +136,7 @@ in
exit 10 exit 10
fi fi
export GIT_SSL_CAINFO=$NIX_SSL_CERT_FILE
${if finalAttrs.proxyVendor then '' ${if finalAttrs.proxyVendor then ''
mkdir -p "''${GOPATH}/pkg/mod/cache/download" mkdir -p "''${GOPATH}/pkg/mod/cache/download"
go mod download go mod download

6
pkgs/data/misc/cacert/setup-hook.sh
View File

@ -1,7 +1,7 @@
export NIX_SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt export NIX_SSL_CERT_FILE="${NIX_SSL_CERT_FILE:-@out@/etc/ssl/certs/ca-bundle.crt}"
# compatibility # compatibility
# - openssl # - openssl
export SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt export SSL_CERT_FILE=$NIX_SSL_CERT_FILE
# - Haskell x509-system # - Haskell x509-system
export SYSTEM_CERTIFICATE_PATH=@out@/etc/ssl/certs/ca-bundle.crt export SYSTEM_CERTIFICATE_PATH=$NIX_SSL_CERT_FILE