From 05a6db87dd426a3870614aad7d2ff51164521c23 Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Wed, 19 Jun 2019 19:28:12 +0200
Subject: [PATCH] add NixOS instructions

---
 README.md | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/README.md b/README.md
index 5f0b25f..5d51749 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,47 @@
 
      * Tagged for forwarding
 
+## Setup in NixOS
+
+1. Import to the file ./service.nix in your configuration by adding:
+```nix
+  imports = [
+    (fetchGit https://maxwell.ydns.eu/git/rnhmjoj/privoxy-tls + "/service.nix")
+  ];
+```
+  or, better, copy it locally.
+
+2. Create a CA. For example with GnuTLS:
+```
+certtool --generate-privkey --outfile ca.key
+certtool --generate-self-signed --load-privkey ca.key --outfile ca.crt
+```
+  or use the tool ./cert.py provided
+```
+python cert.py -f output
+```
+  In latter the "output" file will contain both private key and certificate;
+  split the file and store the separately.
+
+3. Configure the proxy with the option set `services.privoxy.tls-wrapper`, for example
+```nix
+  services.privoxy.tls-wrapper = {
+      enable = true;
+      caCert = /path/to/ca.crt; # these won't be included in the store
+      caKey  = /path/to/ca.key;
+      noVerify = [ "self-signed.example" ];
+      passthru = [ "localhost" "*.local" ];
+    };
+  };
+```
+  More options are available and documented in ./service.nix
+
+### Notes
+
+- The CA will be automatically installed in the system trust store but
+applications may use their own store and won't trust it.
+You will need to add the CA manually in that case.
+
 
 ## License