nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244)

Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another: - `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement - `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation) - `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki` Co-authored-by: Shelvacu <git@shelvacu.com>
2025-07-13 13:40:28 +03:00 · 2025-03-08 00:41:08 -08:00 · 2025-03-08 00:41:08 -08:00 · 1a4575f9db
commit 1a4575f9db
parent f5dadc8f64
28 changed files with 56 additions and 48 deletions
--- a/nixos/modules/services/misc/db-rest.nix
+++ b/nixos/modules/services/misc/db-rest.nix
@ -162,7 +162,7 @@ in
        };
        environment = {
          NODE_ENV = "production";
-          NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";
+          NODE_EXTRA_CA_CERTS = config.security.pki.caBundle;
          HOSTNAME = cfg.host;
          PORT = toString cfg.port;
        };
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -244,7 +244,7 @@ let
        ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"}
        enable_starttls_auto: ${boolToString cfg.smtp.enableStartTLSAuto},
        tls: ${boolToString cfg.smtp.tls},
-        ca_file: "/etc/ssl/certs/ca-certificates.crt",
+        ca_file: "${config.security.pki.caBundle}",
        openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}'
      }
    end
--- a/nixos/modules/services/misc/portunus.nix
+++ b/nixos/modules/services/misc/portunus.nix
@ -285,7 +285,7 @@ in
            in
            {
              PORTUNUS_SERVER_HTTP_SECURE = "true";
-              PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = "/etc/ssl/certs/ca-certificates.crt";
+              PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = config.security.pki.caBundle;
              PORTUNUS_SLAPD_TLS_CERTIFICATE = "${acmeDirectory}/cert.pem";
              PORTUNUS_SLAPD_TLS_DOMAIN_NAME = cfg.domain;
              PORTUNUS_SLAPD_TLS_PRIVATE_KEY = "${acmeDirectory}/key.pem";
--- a/nixos/modules/services/misc/radicle.nix
+++ b/nixos/modules/services/misc/radicle.nix
@ -45,6 +45,7 @@ let
        BindReadOnlyPaths = [
          "${cfg.configFile}:${env.RAD_HOME}/config.json"
          "${if lib.types.path.check cfg.publicKey then cfg.publicKey else pkgs.writeText "radicle.pub" cfg.publicKey}:${env.RAD_HOME}/keys/radicle.pub"
+          "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
        ];
        KillMode = "process";
        StateDirectory = [ "radicle" ];
@ -57,7 +58,6 @@ let
      {
        BindReadOnlyPaths = [
          "-/etc/resolv.conf"
-          "/etc/ssl/certs/ca-certificates.crt"
          "/run/systemd"
        ];
        AmbientCapabilities = "";
--- a/nixos/modules/services/misc/tandoor-recipes.nix
+++ b/nixos/modules/services/misc/tandoor-recipes.nix
@ -118,9 +118,7 @@ in
        RuntimeDirectory = "tandoor-recipes";

        BindReadOnlyPaths = [
-          "${
-            config.environment.etc."ssl/certs/ca-certificates.crt".source
-          }:/etc/ssl/certs/ca-certificates.crt"
+          "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
          builtins.storeDir
          "-/etc/resolv.conf"
          "-/etc/nsswitch.conf"