-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
modules: introduce mkcert (development certification authority) #74
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is, however, showstopper remaining ...
(a part from whether it shall be eligible or not for numtide/devshell
)
modules/mkcert.nix
Outdated
} | ||
|
||
# TODO: Uninstall when leaving the devshell | ||
# trap uninstall EXIT |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not, unfortunately, not working, see #72
3ec55ca
to
4bb68cb
Compare
Something I feel quite strongly about is that devshell modules should be self-contained and not touch files outside of the project root. I am historically bad at testing and don't want to be responsible for It doesn't mean I don't understand the need for such a module. In its current design, it could be added to a ./contrib folder with enough caveats added to it. And also making sure to prompt the user before doing any changes to the system. Or, we could come up with a self-contained design. OpenSSL can be pointed to SSL_CERT_FILE to find what CAs are available. I'm thinking, the project could generate a private/public key-pair in Nix. Then generate a new CA bundle that includes the defaults + the public key. And finally, expose both through environment variables. Have you thought about that approach yet? |
PS: Browsers are moving in the direction of marking localhost connections as secure by default so the whole localhost SSL might become moot. |
On the horizon, that could be feasible, indeed. As for udev, I think also udev rules can have a runtime configuration at
I was prompted about it in the past, once. If we check a couple of libraries (openssl/wolfssl/mbedssl/etc) and see what environment variables they do observe, then it might actually become a lot cleaner, indeed. We need to make sure those do not override the system ones, but complement them. EDIT: We still could use |
In the context of a webapp, another thing you might do is start a reverse-proxy in front of the app that acts as the "load-balancer". Things get a bit trickier with IPC if the backends start talking to each-other. |
Effectively, although not the most common scenario, some projects require to have properly set dns (for mTLS, I guess), even for local testing. One example is: github.com/openintegrationhub. |
Do you think this PR is worth pursuing? I would need some tests. |
mkcert module allows to temporarily install a development certificate authority per project
to dynamically create a (local) certificate authority on first entry — a little more secure
or (predefined, if that is of circumstantial relevance to the project)
What we get: