diff options
author | tilpner | 2020-06-15 09:53:06 +0200 |
---|---|---|
committer | tilpner | 2020-06-15 09:53:06 +0200 |
commit | 367b0c114f38d5c332f5ee971ad13dd69e302dec (patch) | |
tree | ec0c5ee3e7e1f0a30517599e51bd0c8172635158 /profiles/ocsp.nix | |
parent | 2992d92e6ce0d7c96ccded0747d8815d8cfed956 (diff) | |
download | firefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.tar.gz firefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.tar.xz firefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.zip |
WIP towards module based configuration
Diffstat (limited to 'profiles/ocsp.nix')
-rw-r--r-- | profiles/ocsp.nix | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix index d56d8df..d109b54 100644 --- a/profiles/ocsp.nix +++ b/profiles/ocsp.nix @@ -1,4 +1,4 @@ -{ }: { +{ config, lib, ... }: { meta.description = '' The Online Certificate Status Protocol is used to distrust revoked certificates. When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the @@ -6,20 +6,30 @@ It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons. ''; - enabled.preferences = { - security.OCSP = { - enabled = 1; - # OCSP is useless, if the response is not mandatory - require = true; - }; - - security.ssl = { - enable_ocsp_stapling = true; - enable_ocsp_must_staple = true; - }; + options = { + ocsp.enable = lib.mkEnableOption "OCSP"; }; - disabled.preferences = { - security.OCSP.enabled = 0; - }; + config = lib.mkMerge [ + (lib.mkIf config.ocsp.enable { + preferences = { + security.OCSP = { + enabled = 1; + # OCSP is useless, if the response is not mandatory + require = true; + }; + + security.ssl = { + enable_ocsp_stapling = true; + enable_ocsp_must_staple = true; + }; + }; + }) + + (lib.mkIf (!config.ocsp.enable) { + preferences = { + security.OCSP.enabled = 0; + }; + }) + ]; } |