aboutsummaryrefslogtreecommitdiff
path: root/profiles/ocsp.nix
diff options
context:
space:
mode:
authortilpner2020-06-15 09:53:06 +0200
committertilpner2020-06-15 09:53:06 +0200
commit367b0c114f38d5c332f5ee971ad13dd69e302dec (patch)
treeec0c5ee3e7e1f0a30517599e51bd0c8172635158 /profiles/ocsp.nix
parent2992d92e6ce0d7c96ccded0747d8815d8cfed956 (diff)
downloadfirefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.tar.gz
firefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.tar.xz
firefox-profiles-367b0c114f38d5c332f5ee971ad13dd69e302dec.zip
WIP towards module based configuration
Diffstat (limited to 'profiles/ocsp.nix')
-rw-r--r--profiles/ocsp.nix40
1 files changed, 25 insertions, 15 deletions
diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix
index d56d8df..d109b54 100644
--- a/profiles/ocsp.nix
+++ b/profiles/ocsp.nix
@@ -1,4 +1,4 @@
-{ }: {
+{ config, lib, ... }: {
meta.description = ''
The Online Certificate Status Protocol is used to distrust revoked certificates.
When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the
@@ -6,20 +6,30 @@
It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons.
'';
- enabled.preferences = {
- security.OCSP = {
- enabled = 1;
- # OCSP is useless, if the response is not mandatory
- require = true;
- };
-
- security.ssl = {
- enable_ocsp_stapling = true;
- enable_ocsp_must_staple = true;
- };
+ options = {
+ ocsp.enable = lib.mkEnableOption "OCSP";
};
- disabled.preferences = {
- security.OCSP.enabled = 0;
- };
+ config = lib.mkMerge [
+ (lib.mkIf config.ocsp.enable {
+ preferences = {
+ security.OCSP = {
+ enabled = 1;
+ # OCSP is useless, if the response is not mandatory
+ require = true;
+ };
+
+ security.ssl = {
+ enable_ocsp_stapling = true;
+ enable_ocsp_must_staple = true;
+ };
+ };
+ })
+
+ (lib.mkIf (!config.ocsp.enable) {
+ preferences = {
+ security.OCSP.enabled = 0;
+ };
+ })
+ ];
}