From 0bc4665b871281f14d766f08e9d8323c175c82f9 Mon Sep 17 00:00:00 2001
From: Nikolaos Karaolidis <nick@karaolidis.com>
Date: Tue, 13 May 2025 11:55:49 +0100
Subject: [PATCH] Add sas cacerts

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
---
 hosts/elara/configs/pki/default.nix             | 15 +++++++++++++++
 hosts/elara/default.nix                         |  1 +
 packages/default.nix                            |  1 +
 packages/sas/cacert/default.nix                 | 17 +++++++++++++++++
 packages/ssh/known-hosts/github/default.nix     |  1 -
 .../ssh/known-hosts/sas/artifact/default.nix    |  1 -
 packages/ssh/known-hosts/sas/cldlgn/default.nix |  1 -
 packages/ssh/known-hosts/sas/gerrit/default.nix |  1 -
 packages/ssh/known-hosts/sas/gitlab/default.nix |  1 -
 9 files changed, 34 insertions(+), 5 deletions(-)
 create mode 100644 hosts/elara/configs/pki/default.nix
 create mode 100644 packages/sas/cacert/default.nix

diff --git a/hosts/elara/configs/pki/default.nix b/hosts/elara/configs/pki/default.nix
new file mode 100644
index 0000000..9dab6db
--- /dev/null
+++ b/hosts/elara/configs/pki/default.nix
@@ -0,0 +1,15 @@
+{
+  config,
+  inputs,
+  system,
+  lib,
+  ...
+}:
+let
+  selfPkgs = inputs.self.packages.${system};
+in
+{
+  security.pki.certificateFiles = lib.lists.optionals config.sas.build.private [
+    "${selfPkgs.sas-cacert}/etc/ssl/certs/ca-bundle.crt"
+  ];
+}
diff --git a/hosts/elara/default.nix b/hosts/elara/default.nix
index 43f71fb..e43a17b 100644
--- a/hosts/elara/default.nix
+++ b/hosts/elara/default.nix
@@ -49,6 +49,7 @@
     ../common/configs/system/zsh
 
     ./configs/git
+    ./configs/pki
     ./configs/vpn
 
     ./users/nikara
diff --git a/packages/default.nix b/packages/default.nix
index 727efb3..9b03fe3 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -34,6 +34,7 @@
   ssh-known-hosts-sas-gerrit = import ./ssh/known-hosts/sas/gerrit { inherit pkgs inputs system; };
   ssh-known-hosts-sas-gitlab = import ./ssh/known-hosts/sas/gitlab { inherit pkgs inputs system; };
 
+  sas-cacert = import ./sas/cacert { inherit pkgs; };
   viya4-ark = import ./sas/viya4-ark { inherit pkgs; };
   viya4-orders-cli = import ./sas/viya4-orders-cli { inherit pkgs; };
 }
diff --git a/packages/sas/cacert/default.nix b/packages/sas/cacert/default.nix
new file mode 100644
index 0000000..77de159
--- /dev/null
+++ b/packages/sas/cacert/default.nix
@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+pkgs.stdenv.mkDerivation rec {
+  pname = "sas-cacert";
+  version = "0-unstable-2025-05-13";
+
+  src = builtins.fetchurl {
+    url = "http://certificates.sas.com/pki/sascacertsbundle.txt";
+    sha256 = "sha256:0naqfhyh7ri1lxkyx8kdh4bmrd59j9gnfxfi12ggfqkii9n37lj6";
+  };
+
+  phases = [ "installPhase" ];
+
+  installPhase = ''
+    mkdir -p $out/etc/ssl/certs
+    cp $src $out/etc/ssl/certs/ca-bundle.crt
+  '';
+}
diff --git a/packages/ssh/known-hosts/github/default.nix b/packages/ssh/known-hosts/github/default.nix
index bd82c29..9a57f9b 100644
--- a/packages/ssh/known-hosts/github/default.nix
+++ b/packages/ssh/known-hosts/github/default.nix
@@ -4,7 +4,6 @@
   system,
   ...
 }:
-# AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
 pkgs.stdenv.mkDerivation rec {
   pname = "ssh-known-hosts-github";
   version = "0-unstable-2025-02-25";
diff --git a/packages/ssh/known-hosts/sas/artifact/default.nix b/packages/ssh/known-hosts/sas/artifact/default.nix
index 1c94e7e..cddc6dc 100644
--- a/packages/ssh/known-hosts/sas/artifact/default.nix
+++ b/packages/ssh/known-hosts/sas/artifact/default.nix
@@ -4,7 +4,6 @@
   system,
   ...
 }:
-# AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
 pkgs.stdenv.mkDerivation rec {
   pname = "ssh-known-hosts-sas-artifact";
   version = "0-unstable-2025-03-14";
diff --git a/packages/ssh/known-hosts/sas/cldlgn/default.nix b/packages/ssh/known-hosts/sas/cldlgn/default.nix
index 2bff325..5522c60 100644
--- a/packages/ssh/known-hosts/sas/cldlgn/default.nix
+++ b/packages/ssh/known-hosts/sas/cldlgn/default.nix
@@ -4,7 +4,6 @@
   system,
   ...
 }:
-# AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
 pkgs.stdenv.mkDerivation rec {
   pname = "ssh-known-hosts-sas-cldlgn";
   version = "0-unstable-2025-02-25";
diff --git a/packages/ssh/known-hosts/sas/gerrit/default.nix b/packages/ssh/known-hosts/sas/gerrit/default.nix
index ca4eab5..e4dd33c 100644
--- a/packages/ssh/known-hosts/sas/gerrit/default.nix
+++ b/packages/ssh/known-hosts/sas/gerrit/default.nix
@@ -4,7 +4,6 @@
   system,
   ...
 }:
-# AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
 pkgs.stdenv.mkDerivation rec {
   pname = "ssh-known-hosts-sas-gerrit";
   version = "0-unstable-2025-02-25";
diff --git a/packages/ssh/known-hosts/sas/gitlab/default.nix b/packages/ssh/known-hosts/sas/gitlab/default.nix
index 9af67e0..98ae47b 100644
--- a/packages/ssh/known-hosts/sas/gitlab/default.nix
+++ b/packages/ssh/known-hosts/sas/gitlab/default.nix
@@ -4,7 +4,6 @@
   system,
   ...
 }:
-# AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
 pkgs.stdenv.mkDerivation rec {
   pname = "ssh-known-hosts-sas-gitlab";
   version = "0-unstable-2025-02-25";