From 94de87ed74d42cc17797a3bdb297e43c0478efc0 Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.me>
Date: Sun, 29 Sep 2024 00:43:27 -0700
Subject: pki: move to core

---
 modules/core/networking/default.nix |  1 +
 modules/core/networking/pki.nix     | 47 +++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 modules/core/networking/pki.nix

(limited to 'modules/core')

diff --git a/modules/core/networking/default.nix b/modules/core/networking/default.nix
index ebdcd55..b8f221d 100644
--- a/modules/core/networking/default.nix
+++ b/modules/core/networking/default.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./firewall
+    ./pki.nix
     ./resolved.nix
     ./tailscale.nix
   ];
diff --git a/modules/core/networking/pki.nix b/modules/core/networking/pki.nix
new file mode 100644
index 0000000..c781040
--- /dev/null
+++ b/modules/core/networking/pki.nix
@@ -0,0 +1,47 @@
+{ pkgs, ... }:
+{
+  security.pki = {
+    certificateFiles = [
+      (pkgs.fetchurl {
+        url = "https://nextdns.io/ca";
+        hash = "sha256-yl+2q4H/a8SLGv4Mt+g8+03uy9ihZxACbsj3uCTog34=";
+      })
+    ];
+
+    caCertificateBlacklist = [
+      "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
+      "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+
+      # China Financial Certification Authority
+      "CFCA EV ROOT"
+
+      # Chunghwa Telecom Co., Ltd
+      "ePKI Root Certification Authority"
+      "HiPKI Root CA - G1"
+
+      # Dhimyotis
+      "Certigna"
+      "Certigna Root CA"
+
+      # GUANG DONG CERTIFICATE AUTHORITY
+      "GDCA TrustAUTH R5 ROOT"
+
+      # Hongkong Post
+      "Hongkong Post Root CA 3"
+
+      # iTrusChina Co.,Ltd.
+      "vTrus ECC Root CA"
+      "vTrus Root CA"
+
+      # Krajowa Izba Rozliczeniowa S.A.
+      "SZAFIR ROOT CA2"
+
+      # NetLock Kft.
+      "NetLock Arany (Class Gold) Főtanúsítvány"
+
+      # TAIWAN-CA
+      "TWCA Root Certification Authority"
+      "TWCA Global Root CA"
+    ];
+  };
+}
-- 
cgit v1.2.3