Add global env vars for ca chain

hic-infra · Nov 13, 2024 · 217f84d · 217f84d
1 parent d2c3034
commit 217f84d
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/modules/hic-tre-cert.ps1 b/modules/hic-tre-cert.ps1
@@ -58,3 +58,19 @@ New-Item -Path "C:\Program Files\Mozilla Firefox\" -Name distribution -ItemType
   }
 }
 "@ | Out-File -Encoding ASCII -FilePath "C:\Program Files\Mozilla Firefox\distribution\policies.json"
+
+# This covers both conda and CRAN, but it also overrides their own
+# provided CA chain files. That's probably ok given we don't allow
+# access to the internet.
+[Environment]::SetEnvironmentVariable(
+    "SSL_CERT_FILE",
+    "C:\Tools\hic-tre.dundee.ac.uk.crt",
+    [System.EnvironmentVariableTarget]::User)
+[Environment]::SetEnvironmentVariable(
+    "REQUESTS_CA_BUNDLE",
+    "C:\Tools\hic-tre.dundee.ac.uk.crt",
+    [System.EnvironmentVariableTarget]::User)
+[Environment]::SetEnvironmentVariable(
+    "CURL_CA_BUNDLE",
+    "C:\Tools\hic-tre.dundee.ac.uk.crt",
+    [System.EnvironmentVariableTarget]::User)
diff --git a/modules/hic-tre-cert.sh b/modules/hic-tre-cert.sh
@@ -60,3 +60,15 @@ sudo tee /etc/firefox/policies/policies.json <<JSON
   }
 }
 JSON
+
+# /etc/profile.d/*.sh not called due to how we start VNC
+if ! grep -Fxq "# HIC TRE CA CERT" /etc/bash.bashrc ; then
+    sudo tee -a /etc/bash.bashrc <<EOF
+
+# HIC TRE CA CERT
+export SSL_CERT_FILE=/usr/local/share/ca-certificates/hic/hic-tre.crt
+export REQUESTS_CA_BUNDLE=\$SSL_CERT_FILE
+export CURL_CA_BUNDLE=\$SSL_CERT_FILE
+EOF
+fi
+