Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nix
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: ca9c6cb95db0
Choose a base ref
...
head repository: NixOS/nix
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 0a830ef12d5b
Choose a head ref
  • 4 commits
  • 3 files changed
  • 2 contributors

Commits on May 25, 2018

  1. install-multi-user: don't force NIX_SSL_CERT_FILE 

    Following the lead of the single user installer, if NIX_SSL_CERT_FILE is explicitly set prior to running, accept the user-provided version.
    @graham-at-target @grahamc
    graham-at-target authored and grahamc committed May 25, 2018
    Copy the full SHA
    c4b9486 View commit details

  2. multi-user profile: borrow single user profiles' NIX_SSL_CERT_FILE fi… 

    …nding logic
    @graham-at-target @grahamc
    graham-at-target authored and grahamc committed May 25, 2018
    Copy the full SHA
    cad903b View commit details

  3. Document NIX_SSL_CERT_FILE for installation

    @graham-at-target @grahamc
    graham-at-target authored and grahamc committed May 25, 2018
    Copy the full SHA
    e6466c2 View commit details

Commits on May 26, 2018

  1. Merge pull request #2181 from grahamc/nix-install-behind-mitm-proxy 

    Install Nix behind MITM proxy
    @edolstra
    edolstra authored May 26, 2018
    Copy the full SHA
    0a830ef View commit details
Showing with 75 additions and 5 deletions.
  1. +48 −1 doc/manual/installation/env-variables.xml
  2. +9 −3 scripts/install-multi-user.sh
  3. +18 −1 scripts/nix-profile-daemon.sh.in
49 changes: 48 additions & 1 deletion doc/manual/installation/env-variables.xml
View file
Original file line number Diff line number Diff line change
@@ -21,4 +21,51 @@ in your <filename>~/.profile</filename> (or similar), like this:</para>
<screen>
source <replaceable>prefix</replaceable>/etc/profile.d/nix.sh</screen>

</chapter>
<section xml:id="sec-nix-ssl-cert-file">

<title><envar>NIX_SSL_CERT_FILE</envar></title>

<para>If you need to specify a custom certificate bundle to account
for an HTTPS-intercepting man in the middle proxy, you must specify
the path to the certificate bundle in the environment variable
<envar>NIX_SSL_CERT_FILE</envar>.</para>


<para>If you don't specify a <envar>NIX_SSL_CERT_FILE</envar>
manually, Nix will install and use its own certificate
bundle.</para>

<procedure>
<step><para>Set the environment variable and install Nix</para>
<screen>
$ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
$ curl https://nixos.org/nix/install | sh
</screen></step>

<step><para>In the shell profile and rc files (for example,
<filename>/etc/bashrc</filename>, <filename>/etc/zshrc</filename>),
add the following line:</para>
<programlisting>
export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
</programlisting>
</step>
</procedure>

<note><para>You must not add the export and then do the install, as
the Nix installer will detect the presense of Nix configuration, and
abort.</para></note>

<section>
<title><envar>NIX_SSL_CERT_FILE</envar> with macOS and the Nix daemon</title>

<para>On macOS you must specify the environment variable for the Nix
daemon service, then restart it:</para>

<screen>
$ sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/my-certificate-bundle.crt
$ sudo launchctl kickstart -k system/org.nixos.nix-daemon
</screen>
</section>

</section>
</chapter>
12 changes: 9 additions & 3 deletions scripts/install-multi-user.sh
View file
Original file line number Diff line number Diff line change
@@ -727,11 +727,17 @@ setup_default_profile() {
_sudo "to installing a bootstrapping Nix in to the default Profile" \
HOME="$ROOT_HOME" "$NIX_INSTALLED_NIX/bin/nix-env" -i "$NIX_INSTALLED_NIX"

_sudo "to installing a bootstrapping SSL certificate just for Nix in to the default Profile" \
HOME="$ROOT_HOME" "$NIX_INSTALLED_NIX/bin/nix-env" -i "$NIX_INSTALLED_CACERT"
if [ -z "$NIX_SSL_CERT_FILE" ] || ! [ -f "$NIX_SSL_CERT_FILE" ]; then
_sudo "to installing a bootstrapping SSL certificate just for Nix in to the default Profile" \
HOME="$ROOT_HOME" "$NIX_INSTALLED_NIX/bin/nix-env" -i "$NIX_INSTALLED_CACERT"
export NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
fi

# Have to explicitly pass NIX_SSL_CERT_FILE as part of the sudo call,
# otherwise it will be lost in environments where sudo doesn't pass
# all the environment variables by default.
_sudo "to update the default channel in the default profile" \
HOME="$ROOT_HOME" NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt "$NIX_INSTALLED_NIX/bin/nix-channel" --update nixpkgs
HOME="$ROOT_HOME" NIX_SSL_CERT_FILE="$NIX_SSL_CERT_FILE" "$NIX_INSTALLED_NIX/bin/nix-channel" --update nixpkgs
}


19 changes: 18 additions & 1 deletion scripts/nix-profile-daemon.sh.in
View file
Original file line number Diff line number Diff line change
@@ -49,6 +49,23 @@ if test -w $HOME; then
fi
fi

export NIX_SSL_CERT_FILE="@localstatedir@/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"

# Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
if [ ! -z "$NIX_SSL_CERT_FILE" ]; then
: # Allow users to override the NIX_SSL_CERT_FILE
elif [ -e /etc/ssl/certs/ca-certificates.crt ]; then # NixOS, Ubuntu, Debian, Gentoo, Arch
export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
elif [ -e /etc/ssl/ca-bundle.pem ]; then # openSUSE Tumbleweed
export NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem
elif [ -e /etc/ssl/certs/ca-bundle.crt ]; then # Old NixOS
export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
elif [ -e /etc/pki/tls/certs/ca-bundle.crt ]; then # Fedora, CentOS
export NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt
elif [ -e "$NIX_USER_PROFILE_DIR/etc/ssl/certs/ca-bundle.crt" ]; then # fall back to cacert in the user's Nix profile
export NIX_SSL_CERT_FILE=$NIX_USER_PROFILE_DIR/etc/ssl/certs/ca-bundle.crt
elif [ -e "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" ]; then # fall back to cacert in the default Nix profile
export NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
fi

export NIX_PATH="nixpkgs=@localstatedir@/nix/profiles/per-user/root/channels/nixpkgs:@localstatedir@/nix/profiles/per-user/root/channels"
export PATH="$HOME/.nix-profile/bin:$HOME/.nix-profile/lib/kde4/libexec:@localstatedir@/nix/profiles/default/bin:@localstatedir@/nix/profiles/default:@localstatedir@/nix/profiles/default/lib/kde4/libexec:$PATH"