diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index 0ef44a7ded92..8870360c8128 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -540,6 +540,8 @@ - `services.avahi.ipv6` now defaults to true. +- All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`. + - hddfancontrol has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes. - The Home Assistant module has new options {option}`services.home-assistant.blueprints.automation`, `services.home-assistant.blueprints.script`, and {option}`services.home-assistant.blueprints.template` that allow for the declarative installation of [blueprints](https://www.home-assistant.io/docs/blueprint/) into the appropriate configuration directories. diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 5e85fe902de6..e1e8dae2a918 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -5,7 +5,6 @@ ... }: let - cfg = config.security.pki; cacertPackage = pkgs.cacert.override { @@ -88,22 +87,31 @@ in ''; }; + security.pki.caBundle = lib.mkOption { + type = lib.types.path; + readOnly = true; + description = '' + (Read-only) the path to the final bundle of certificate authorities as a single file. + ''; + }; }; - config = lib.mkIf cfg.installCACerts { + config = lib.mkMerge [ + (lib.mkIf cfg.installCACerts { - # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. - environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; + # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. + environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; - # Old NixOS compatibility. - environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; + # Old NixOS compatibility. + environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; - # CentOS/Fedora compatibility. - environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; + # CentOS/Fedora compatibility. + environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; - # P11-Kit trust source. - environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source"; - - }; + # P11-Kit trust source. + environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source"; + }) + { security.pki.caBundle = caBundle; } + ]; } diff --git a/nixos/modules/services/audio/gonic.nix b/nixos/modules/services/audio/gonic.nix index 130fd3ecdb9a..6ac4286b2e4c 100644 --- a/nixos/modules/services/audio/gonic.nix +++ b/nixos/modules/services/audio/gonic.nix @@ -59,7 +59,7 @@ in BindReadOnlyPaths = [ # gonic can access scrobbling services "-/etc/resolv.conf" - "-/etc/ssl/certs/ca-certificates.crt" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir ] ++ cfg.settings.music-path ++ lib.optional (cfg.settings.tls-cert != null) cfg.settings.tls-cert diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix index e69bfef48438..41d3da158bca 100644 --- a/nixos/modules/services/audio/navidrome.nix +++ b/nixos/modules/services/audio/navidrome.nix @@ -118,9 +118,7 @@ in BindReadOnlyPaths = [ # navidrome uses online services to download additional album metadata / covers - "${ - config.environment.etc."ssl/certs/ca-certificates.crt".source - }:/etc/ssl/certs/ca-certificates.crt" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir "/etc" ] diff --git a/nixos/modules/services/continuous-integration/gocd-agent/default.nix b/nixos/modules/services/continuous-integration/gocd-agent/default.nix index 607ac0e6ce9b..dd5014542507 100644 --- a/nixos/modules/services/continuous-integration/gocd-agent/default.nix +++ b/nixos/modules/services/continuous-integration/gocd-agent/default.nix @@ -213,7 +213,7 @@ in rm -f config/autoregister.properties ln -s "${pkgs.writeText "autoregister.properties" cfg.agentConfig}" config/autoregister.properties - ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt + ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle} ${pkgs.jre}/bin/java ${lib.concatStringsSep " " cfg.startupOptions} \ ${lib.concatStringsSep " " cfg.extraOptions} \ -jar ${pkgs.gocd-agent}/go-agent/agent-bootstrapper.jar \ diff --git a/nixos/modules/services/continuous-integration/gocd-server/default.nix b/nixos/modules/services/continuous-integration/gocd-server/default.nix index 0997cb394cbe..0c3091f85b49 100644 --- a/nixos/modules/services/continuous-integration/gocd-server/default.nix +++ b/nixos/modules/services/continuous-integration/gocd-server/default.nix @@ -217,7 +217,7 @@ in path = cfg.packages; script = '' - ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt + ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle} ${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.startupOptions} \ ${concatStringsSep " " cfg.extraOptions} \ -jar ${pkgs.gocd-server}/go-server/lib/go.jar diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 309e03266197..826c1e0a463f 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -591,10 +591,11 @@ in tlsTrustedAuthorities = lib.mkOption { type = lib.types.str; - default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - defaultText = lib.literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"''; + default = config.security.pki.caBundle; + defaultText = lib.literalExpression "config.security.pki.caBundle"; + example = lib.literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"''; description = '' - File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities. + File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This sets [smtp_tls_CAfile](https://www.postfix.org/postconf.5.html#smtp_tls_CAfile). Defaults to system trusted certificates (see `security.pki.*` options). ''; }; diff --git a/nixos/modules/services/misc/db-rest.nix b/nixos/modules/services/misc/db-rest.nix index 6cb9dd3da577..d1cedfd2b838 100644 --- a/nixos/modules/services/misc/db-rest.nix +++ b/nixos/modules/services/misc/db-rest.nix @@ -162,7 +162,7 @@ in }; environment = { NODE_ENV = "production"; - NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt"; + NODE_EXTRA_CA_CERTS = config.security.pki.caBundle; HOSTNAME = cfg.host; PORT = toString cfg.port; }; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 245ced135c51..f96c6f548b0b 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -244,7 +244,7 @@ let ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"} enable_starttls_auto: ${boolToString cfg.smtp.enableStartTLSAuto}, tls: ${boolToString cfg.smtp.tls}, - ca_file: "/etc/ssl/certs/ca-certificates.crt", + ca_file: "${config.security.pki.caBundle}", openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}' } end diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index 0ab9d69df96a..33a49fb25ee7 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -285,7 +285,7 @@ in in { PORTUNUS_SERVER_HTTP_SECURE = "true"; - PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = "/etc/ssl/certs/ca-certificates.crt"; + PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = config.security.pki.caBundle; PORTUNUS_SLAPD_TLS_CERTIFICATE = "${acmeDirectory}/cert.pem"; PORTUNUS_SLAPD_TLS_DOMAIN_NAME = cfg.domain; PORTUNUS_SLAPD_TLS_PRIVATE_KEY = "${acmeDirectory}/key.pem"; diff --git a/nixos/modules/services/misc/radicle.nix b/nixos/modules/services/misc/radicle.nix index cd7a2452223a..e849c8dee817 100644 --- a/nixos/modules/services/misc/radicle.nix +++ b/nixos/modules/services/misc/radicle.nix @@ -45,6 +45,7 @@ let BindReadOnlyPaths = [ "${cfg.configFile}:${env.RAD_HOME}/config.json" "${if lib.types.path.check cfg.publicKey then cfg.publicKey else pkgs.writeText "radicle.pub" cfg.publicKey}:${env.RAD_HOME}/keys/radicle.pub" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" ]; KillMode = "process"; StateDirectory = [ "radicle" ]; @@ -57,7 +58,6 @@ let { BindReadOnlyPaths = [ "-/etc/resolv.conf" - "/etc/ssl/certs/ca-certificates.crt" "/run/systemd" ]; AmbientCapabilities = ""; diff --git a/nixos/modules/services/misc/tandoor-recipes.nix b/nixos/modules/services/misc/tandoor-recipes.nix index b56185bd0c45..8f1cb4cbadde 100644 --- a/nixos/modules/services/misc/tandoor-recipes.nix +++ b/nixos/modules/services/misc/tandoor-recipes.nix @@ -118,9 +118,7 @@ in RuntimeDirectory = "tandoor-recipes"; BindReadOnlyPaths = [ - "${ - config.environment.etc."ssl/certs/ca-certificates.crt".source - }:/etc/ssl/certs/ca-certificates.crt" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir "-/etc/resolv.conf" "-/etc/nsswitch.conf" diff --git a/nixos/modules/services/monitoring/ocsinventory-agent.nix b/nixos/modules/services/monitoring/ocsinventory-agent.nix index 83fec3b2b57d..fba1ebcae4a5 100644 --- a/nixos/modules/services/monitoring/ocsinventory-agent.nix +++ b/nixos/modules/services/monitoring/ocsinventory-agent.nix @@ -53,7 +53,8 @@ in ca = lib.mkOption { type = lib.types.path; - default = "/etc/ssl/certs/ca-certificates.crt"; + default = config.security.pki.caBundle; + defaultText = lib.literalExpression "config.security.pki.caBundle"; description = '' Path to CA certificates file in PEM format, for server SSL certificate validation. @@ -72,7 +73,6 @@ in }; default = { }; example = { - ca = "/etc/ssl/certs/ca-certificates.crt"; debug = true; server = "https://ocsinventory.localhost:8080/ocsinventory"; tag = "01234567890123"; diff --git a/nixos/modules/services/monitoring/parsedmarc.nix b/nixos/modules/services/monitoring/parsedmarc.nix index 22c37f3e26e2..4b3991ebf188 100644 --- a/nixos/modules/services/monitoring/parsedmarc.nix +++ b/nixos/modules/services/monitoring/parsedmarc.nix @@ -371,7 +371,8 @@ in cert_path = lib.mkOption { type = lib.types.path; - default = "/etc/ssl/certs/ca-certificates.crt"; + default = config.security.pki.caBundle; + defaultText = lib.literalExpression "config.security.pki.caBundle"; description = '' The path to a TLS certificate bundle used to verify the server's certificate. diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix index 3b15cb80a861..c673a09832b0 100644 --- a/nixos/modules/services/monitoring/uptime-kuma.nix +++ b/nixos/modules/services/monitoring/uptime-kuma.nix @@ -24,7 +24,7 @@ in default = { }; example = { PORT = "4000"; - NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt"; + NODE_EXTRA_CA_CERTS = lib.literalExpression "config.security.pki.caBundle"; }; description = '' Additional configuration for Uptime Kuma, see diff --git a/nixos/modules/services/networking/biboumi.nix b/nixos/modules/services/networking/biboumi.nix index ec28cadd8da2..a8318aff59b1 100644 --- a/nixos/modules/services/networking/biboumi.nix +++ b/nixos/modules/services/networking/biboumi.nix @@ -57,7 +57,8 @@ in }; options.ca_file = lib.mkOption { type = lib.types.path; - default = "/etc/ssl/certs/ca-certificates.crt"; + default = config.security.pki.caBundle; + defaultText = lib.literalExpression "config.security.pki.caBundle"; description = '' Specifies which file should be used as the list of trusted CA when negotiating a TLS session. diff --git a/nixos/modules/services/networking/privoxy.nix b/nixos/modules/services/networking/privoxy.nix index 9c9353f175e9..c57c8377bdac 100644 --- a/nixos/modules/services/networking/privoxy.nix +++ b/nixos/modules/services/networking/privoxy.nix @@ -282,9 +282,8 @@ in # This allows setting absolute key/crt paths ca-directory = "/var/empty"; certificate-directory = "/run/privoxy/certs"; - trusted-cas-file = "/etc/ssl/certs/ca-certificates.crt"; + trusted-cas-file = config.security.pki.caBundle; }); - }; imports = diff --git a/nixos/modules/services/networking/stunnel.nix b/nixos/modules/services/networking/stunnel.nix index ddc50a04789a..0e02cc74184c 100644 --- a/nixos/modules/services/networking/stunnel.nix +++ b/nixos/modules/services/networking/stunnel.nix @@ -123,7 +123,7 @@ in description = '' Define the client configurations. - By default, verifyChain and OCSPaia are enabled and a CAFile is provided from pkgs.cacert. + By default, verifyChain and OCSPaia are enabled and CAFile is set to `security.pki.caBundle`. See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`. ''; @@ -144,7 +144,7 @@ in applyDefaults = c: { - CAFile = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + CAFile = config.security.pki.caBundle; OCSPaia = true; verifyChain = true; } diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 7786f6a8d4d5..26c43521b2c1 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -195,7 +195,7 @@ in { interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); access-control = mkDefault ([ "127.0.0.0/8 allow" ] ++ (optional config.networking.enableIPv6 "::1/128 allow")); auto-trust-anchor-file = mkIf cfg.enableRootTrustAnchor rootTrustAnchorFile; - tls-cert-bundle = mkDefault "/etc/ssl/certs/ca-certificates.crt"; + tls-cert-bundle = mkDefault config.security.pki.caBundle; # prevent race conditions on system startup when interfaces are not yet # configured ip-freebind = mkDefault true; diff --git a/nixos/modules/services/search/hound.nix b/nixos/modules/services/search/hound.nix index 98ef752aa8e8..87066c79374a 100644 --- a/nixos/modules/services/search/hound.nix +++ b/nixos/modules/services/search/hound.nix @@ -118,7 +118,7 @@ in User = cfg.user; Group = cfg.group; WorkingDirectory = cfg.home; - ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo /etc/ssl/certs/ca-certificates.crt"; + ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo ${config.security.pki.caBundle}"; ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf /etc/hound/config.json"; }; }; diff --git a/nixos/modules/services/system/nix-daemon.nix b/nixos/modules/services/system/nix-daemon.nix index 78787d08b1e1..bc5bbcf06cf1 100644 --- a/nixos/modules/services/system/nix-daemon.nix +++ b/nixos/modules/services/system/nix-daemon.nix @@ -218,7 +218,7 @@ in environment = cfg.envVars // { - CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; + CURL_CA_BUNDLE = config.security.pki.caBundle; } // config.networking.proxy.envVars; diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 397b11c3e013..65501ecf7f4c 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -361,7 +361,7 @@ in wantedBy = [ "multi-user.target" ]; environment = { - CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; + CURL_CA_BUNDLE = config.security.pki.caBundle; TRANSMISSION_WEB_HOME = lib.mkIf (cfg.webHome != null) cfg.webHome; }; diff --git a/nixos/modules/services/web-apps/cryptpad.nix b/nixos/modules/services/web-apps/cryptpad.nix index f2493d57e3cf..a5f142553495 100644 --- a/nixos/modules/services/web-apps/cryptpad.nix +++ b/nixos/modules/services/web-apps/cryptpad.nix @@ -239,7 +239,7 @@ in "-/etc/resolv.conf" "-/run/systemd" "/etc/hosts" - "/etc/ssl/certs/ca-certificates.crt" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" ]; }; }; diff --git a/nixos/modules/services/web-apps/dex.nix b/nixos/modules/services/web-apps/dex.nix index 13af63892fe9..37b27ae8f1cd 100644 --- a/nixos/modules/services/web-apps/dex.nix +++ b/nixos/modules/services/web-apps/dex.nix @@ -117,7 +117,7 @@ in "-/etc/localtime" "-/etc/nsswitch.conf" "-/etc/resolv.conf" - "-/etc/ssl/certs/ca-certificates.crt" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" ]; BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql"; # ProtectClock= adds DeviceAllow=char-rtc r diff --git a/nixos/modules/services/web-apps/grav.nix b/nixos/modules/services/web-apps/grav.nix index 25743bc3e3f0..6549002c47ac 100644 --- a/nixos/modules/services/web-apps/grav.nix +++ b/nixos/modules/services/web-apps/grav.nix @@ -132,7 +132,7 @@ in "opcache.memory_consumption" = "128"; "opcache.revalidate_freq" = "1"; "opcache.fast_shutdown" = "1"; - "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + "openssl.cafile" = config.security.pki.caBundle; catch_workers_output = "yes"; upload_max_filesize = cfg.maxUploadSize; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 1943e06804a6..cc5dae198837 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -19,7 +19,7 @@ let "opcache.memory_consumption" = "128"; "opcache.revalidate_freq" = "1"; "opcache.fast_shutdown" = "1"; - "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + "openssl.cafile" = config.security.pki.caBundle; catch_workers_output = "yes"; }; @@ -400,7 +400,7 @@ in { phpOptions = mkOption { type = with types; attrsOf (oneOf [ str int ]); - defaultText = literalExpression (generators.toPretty { } defaultPHPSettings); + defaultText = literalExpression (generators.toPretty { } (defaultPHPSettings // { "openssl.cafile" = literalExpression "config.security.pki.caBundle"; })); description = '' Options for PHP's php.ini file for nextcloud. diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index f52a4ccf6266..2fe726e61525 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -16,7 +16,7 @@ let env = { NODE_CONFIG_DIR = "/var/lib/peertube/config"; NODE_ENV = "production"; - NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt"; + NODE_EXTRA_CA_CERTS = config.security.pki.caBundle; NPM_CONFIG_CACHE = "/var/cache/peertube/.npm"; NPM_CONFIG_PREFIX = cfg.package; HOME = cfg.package; diff --git a/nixos/modules/services/web-apps/sogo.nix b/nixos/modules/services/web-apps/sogo.nix index c34896d1112e..ddf673dcaf42 100644 --- a/nixos/modules/services/web-apps/sogo.nix +++ b/nixos/modules/services/web-apps/sogo.nix @@ -113,7 +113,7 @@ in wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."sogo/sogo.conf.raw".source ]; - environment.LDAPTLS_CACERT = "/etc/ssl/certs/ca-certificates.crt"; + environment.LDAPTLS_CACERT = config.security.pki.caBundle; serviceConfig = { Type = "forking";