From 97332e32d5d64c77e6b612443c4e4c11be8eeab9 Mon Sep 17 00:00:00 2001
From: Ivan Bushchik <ivabus@ivabus.dev>
Date: Sat, 6 Jan 2024 16:43:29 +0300
Subject: [PATCH] Create russian-trusted-ca.nix

Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
---
 common/default.nix            |  1 +
 common/russian-trusted-ca.nix | 14 ++++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 common/russian-trusted-ca.nix

diff --git a/common/default.nix b/common/default.nix
index a6cc9c6..6266c08 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -7,6 +7,7 @@
     ./locale.nix
     ./networking.nix
     ./remote-access.nix
+    ./russian-trusted-ca.nix
     ./security.nix
     ./stateless.nix
     ./user.nix
diff --git a/common/russian-trusted-ca.nix b/common/russian-trusted-ca.nix
new file mode 100644
index 0000000..6fcdd73
--- /dev/null
+++ b/common/russian-trusted-ca.nix
@@ -0,0 +1,14 @@
+{ config, pkgs,... }:
+
+let 
+  root_ca = pkgs.fetchurl {
+    url = "https://gu-st.ru/content/lending/russian_trusted_root_ca_pem.crt";
+    hash = "sha256-k2pD/qbo5SW8wPgazZw9IbT8S5torOp5BtaYAFr8ZQQ=";
+  };
+  sub_ca = pkgs.fetchurl {
+    url = "https://gu-st.ru/content/lending/russian_trusted_sub_ca_pem.crt";
+    hash = "sha256-8K5YnzZ3TynvNkj3mEsI1C/M5vH/7rYjbXc9rrJ0TqY=";
+  };
+in {
+  security.pki.certificateFiles = [ "${root_ca}" "${sub_ca}" ];
+}