1 files changed, 25 insertions, 15 deletions

diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix
index d56d8df..d109b54 100644
--- a/profiles/ocsp.nix
+++ b/profiles/ocsp.nix
@@ -1,4 +1,4 @@
-{ }: {
+{ config, lib, ... }: {
   meta.description = ''
     The Online Certificate Status Protocol is used to distrust revoked certificates.
     When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the
@@ -6,20 +6,30 @@
     It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons.
   '';
 
-  enabled.preferences = {
-    security.OCSP = {
-      enabled = 1;
-      # OCSP is useless, if the response is not mandatory
-      require = true;
-    };
-
-    security.ssl = {
-      enable_ocsp_stapling = true;
-      enable_ocsp_must_staple = true;
-    };
+  options = {
+    ocsp.enable = lib.mkEnableOption "OCSP";
   };
 
-  disabled.preferences = {
-    security.OCSP.enabled = 0;
-  };
+  config = lib.mkMerge [
+    (lib.mkIf config.ocsp.enable {
+      preferences = {
+        security.OCSP = {
+          enabled = 1;
+          # OCSP is useless, if the response is not mandatory
+          require = true;
+        };
+
+        security.ssl = {
+          enable_ocsp_stapling = true;
+          enable_ocsp_must_staple = true;
+        };
+      };
+    })
+
+    (lib.mkIf (!config.ocsp.enable) {
+      preferences = {
+        security.OCSP.enabled = 0;
+      };
+    })
+  ];
 }