nixpkgs

mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00

History

shelvacu 1a4575f9db nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244 ) Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another: - `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement - `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation) - `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki` Co-authored-by: Shelvacu <git@shelvacu.com>	2025-03-08 08:41:08 +00:00
..
default.nix	nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244 )	2025-03-08 08:41:08 +00:00

nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244 )

Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:

- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`

Co-authored-by: Shelvacu <git@shelvacu.com>

2025-03-08 08:41:08 +00:00

default.nix

nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244 )

2025-03-08 08:41:08 +00:00