nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244)

Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another: - `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement - `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation) - `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki` Co-authored-by: Shelvacu <git@shelvacu.com>
2025-07-14 06:00:33 +03:00 · 2025-03-08 00:41:08 -08:00 · 2025-03-08 00:41:08 -08:00 · 1a4575f9db
commit 1a4575f9db
parent f5dadc8f64
28 changed files with 56 additions and 48 deletions
--- a/nixos/modules/services/monitoring/ocsinventory-agent.nix
+++ b/nixos/modules/services/monitoring/ocsinventory-agent.nix
@ -53,7 +53,8 @@ in

            ca = lib.mkOption {
              type = lib.types.path;
-              default = "/etc/ssl/certs/ca-certificates.crt";
+              default = config.security.pki.caBundle;
+              defaultText = lib.literalExpression "config.security.pki.caBundle";
              description = ''
                Path to CA certificates file in PEM format, for server
                SSL certificate validation.
@ -72,7 +73,6 @@ in
        };
        default = { };
        example = {
-          ca = "/etc/ssl/certs/ca-certificates.crt";
          debug = true;
          server = "https://ocsinventory.localhost:8080/ocsinventory";
          tag = "01234567890123";
--- a/nixos/modules/services/monitoring/parsedmarc.nix
+++ b/nixos/modules/services/monitoring/parsedmarc.nix
@ -371,7 +371,8 @@ in

            cert_path = lib.mkOption {
              type = lib.types.path;
-              default = "/etc/ssl/certs/ca-certificates.crt";
+              default = config.security.pki.caBundle;
+              defaultText = lib.literalExpression "config.security.pki.caBundle";
              description = ''
                The path to a TLS certificate bundle used to verify
                the server's certificate.
--- a/nixos/modules/services/monitoring/uptime-kuma.nix
+++ b/nixos/modules/services/monitoring/uptime-kuma.nix
@ -24,7 +24,7 @@ in
        default = { };
        example = {
          PORT = "4000";
-          NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";
+          NODE_EXTRA_CA_CERTS = lib.literalExpression "config.security.pki.caBundle";
        };
        description = ''
          Additional configuration for Uptime Kuma, see