From bb9710df8a093eb9e2634e54dceec7c80d7004c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= <cyplo@cyplo.dev>
Date: Wed, 5 Oct 2022 14:04:38 +0100
Subject: [PATCH] manage certs on darwin via nix

---
 nixos/boxes/form3/default.nix         | 20 +++++++++++++-------
 nixos/boxes/form3/form3-palo-alto.pem | 20 ++++++++++++++++++++
 2 files changed, 33 insertions(+), 7 deletions(-)
 create mode 100644 nixos/boxes/form3/form3-palo-alto.pem

diff --git a/nixos/boxes/form3/default.nix b/nixos/boxes/form3/default.nix
index 5ac0a0df..3f04860b 100644
--- a/nixos/boxes/form3/default.nix
+++ b/nixos/boxes/form3/default.nix
@@ -1,4 +1,11 @@
-{ config, pkgs, inputs, lib, nixpkgs-nixos-unstable-and-unfree, ... }: {
+{ config, pkgs, inputs, lib, nixpkgs-nixos-unstable-and-unfree, ... }:
+let
+  system_cert_bundle_path = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+  form3_cert_path = ./form3-palo-alto.pem;
+  form3_cert_bundle = builtins.toFile "form3-cert-bundle.crt"
+    (builtins.readFile system_cert_bundle_path
+      + builtins.readFile form3_cert_path);
+in {
   environment.systemPackages = with pkgs; [ vim nixfmt ];
 
   imports = [ ../../git ../../mercurial ];
@@ -31,14 +38,13 @@
     source-code-pro
     weather-icons
   ];
-  security.pki.certificateFiles = [
-    "/Users/Shared/form3-certs/form3-palo-alto.pem"
-    "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-  ];
+  security.pki.certificateFiles = [ form3_cert_path system_cert_bundle_path ];
   environment.variables = {
-    NIX_SSL_CERT_FILE = "/Users/cyryl/certs/bundle.crt";
+    NIX_SSL_CERT_FILE = form3_cert_bundle;
+    BUNDLE_SSL_CA_CERT = form3_cert_bundle;
+    CARGO_NET_GIT_FETCH_WITH_CLI = "true";
   };
-  programs.zsh.enable = true; # default shell on catalina
+  programs.zsh.enable = true;
 
   system.stateVersion = 4;
 
diff --git a/nixos/boxes/form3/form3-palo-alto.pem b/nixos/boxes/form3/form3-palo-alto.pem
new file mode 100644
index 00000000..0e71b1d8
--- /dev/null
+++ b/nixos/boxes/form3/form3-palo-alto.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUjCCAjqgAwIBAgIJAKGbgmk1v5iwMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
+BAYTAkdCMSMwIQYDVQQKExpCYWNrIE9mZmljZSBUZWNobm9sb2d5IEx0ZDElMCMG
+A1UEAxMccGFsby1hbHRvLnN5c3RlbXMuZm9ybTMudGVjaDAeFw0yMTAyMjMwOTQ4
+MjlaFw0yNDAyMjMwOTQ4MjlaMFkxCzAJBgNVBAYTAkdCMSMwIQYDVQQKExpCYWNr
+IE9mZmljZSBUZWNobm9sb2d5IEx0ZDElMCMGA1UEAxMccGFsby1hbHRvLnN5c3Rl
+bXMuZm9ybTMudGVjaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0C
+6mwiX2JPtAyIfg8+LNLTBZbB/PsXYcbirUoA31cM/6uZK+9xYHD95WthpHA5yp4s
+SUoP+KQiiAs6UHk8fvKkKDyiZYPzbFzWUAsWZwvplqfHgjOj9sGmzdBNlHI+JD7i
+lfJrRk62veGrsubjoxMgzpvWRw0MO96YNMQA+l0DpT+v6CQPBdtKloXajMUiRBDI
+pCaM2R7HLrCtuQVedP8n8E+X34G9h6tCJtOd4+kMNDdiAK176C9f6a1Qhj4aDkFb
+tYoD5RC0jatqC7u7HhfmZn1jUC/OlQvKXKAmMNr55aycUiKQLGsksJHLcqvmD8XG
+et01szQ0dQ2jW19sdZkCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMC
+AgQwDQYJKoZIhvcNAQELBQADggEBACL33t6vUJkmLwzbCXtIA0SCxxFKFfr0W7Sd
+D15FPiNypFiF2LzHhLbAuCWHNsoQWeilxnIVZX75KDLBudn/zPXqwGh4O+2j3etN
+AtZbJFnBH0A6bJRnopEfLz0qSanIVPV7YDqeS1Xotc/OK0/+Rkr0iUOmCrorfUAv
+5kx4VSOOrg+tbzwqEp0YMq8aE+sVadFPshh1SfoTUQJ1a6qh7q3Wm0cPPvt0yf7A
+NXFVlMb+Ti/GsqxKarS/wYWFm317wT+GXITXJGmHOyul9cY4Ko6jPg0lRH4Zd2Xj
+sNB68Aax1FbduXZUa+ngGb8QYooEfusLPs05OTTl5ympJEtah3U=
+-----END CERTIFICATE-----