sebnyberg/nixsetup.md

## nixsetup.md

      
    Raw
  

              nixsetup.md
            
          
    Nix Setup for MacOS + ZScaler

These are my personal notes for estting up Nix with ZScaler.
Export certs as cert bundle

ZScaler eavesdrops on all communication, which is indistinguishable from a MITM attack.
Trust the cert in the KeyChain cert store. Then export the bundle to
/etc/ssl/certs/ca-certificates.crt:
pushd $(mktemp -d)
mkdir -p /etc/ssl/certs
security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o root.pem
security export -t certs -f pemseq -k /Library/Keychains/System.keychain -o custom.pem
cat root.pem custom.pem | sudo tee /etc/ssl/certs/ca-certificates.crt
popd
Install Nix (will complain about certs)

sh <(curl -L https://nixos.org/nix/install)
Inform Nix of system certs

The next step is to inform Nix of the bundle location.
Point Nix to the bundle location and symlink the built-in Nix bundle:
echo 'export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt' >> ~/.zshrc
sudo rm /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
sudo ln -s /etc/ssl/certs/ca-certificates.crt /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
sudo launchctl kickstart -k system/org.nixos.nix-daemon
Restart the shell. Nix should now be able to connect to the NixPkgs index.
Test that the variable is working properly:
cat $NIX_SSL_CERT_FILE
Nix setup

Update:
nix-channel --update nixpkgs
Enable flakes
mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf 
Clone your dotfiles repo (mine is private) and initialize home-manager:
git clone git@github.com:sebnyberg/dotfiles
cd dotfiles
nix run home-manager/master -- init --switch .
Update with:
home-manager switch --flake .