Nix Setup for MacOS + ZScaler

nixsetup.md

Nix Setup for MacOS + ZScaler

These are my personal notes for estting up Nix with ZScaler.

Export certs as cert bundle

ZScaler eavesdrops on all communication, which is indistinguishable from a MITM attack.

Trust the cert in the KeyChain cert store. Then export the bundle to /etc/ssl/certs/ca-certificates.crt:

pushd $(mktemp -d)
mkdir -p /etc/ssl/certs
security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o root.pem
security export -t certs -f pemseq -k /Library/Keychains/System.keychain -o custom.pem
cat root.pem custom.pem | sudo tee /etc/ssl/certs/ca-certificates.crt
popd

Install Nix (will complain about certs)

sh <(curl -L https://nixos.org/nix/install)

Inform Nix of system certs

The next step is to inform Nix of the bundle location. Point Nix to the bundle location and symlink the built-in Nix bundle:

echo 'export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt' >> ~/.zshrc
sudo rm /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
sudo ln -s /etc/ssl/certs/ca-certificates.crt /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
sudo launchctl kickstart -k system/org.nixos.nix-daemon

Restart the shell. Nix should now be able to connect to the NixPkgs index.

Test that the variable is working properly:

cat $NIX_SSL_CERT_FILE

Nix setup

Update:

nix-channel --update nixpkgs

Enable flakes

mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf 

Clone your dotfiles repo (mine is private) and initialize home-manager:

git clone [email protected]:sebnyberg/dotfiles
cd dotfiles
nix run home-manager/master -- init --switch .

Update with:

home-manager switch --flake .

dope