pyrox.dev / nixpkgs
lol
fork atom

nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244)

Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:

- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`

Co-authored-by: Shelvacu <git@shelvacu.com>

shelvacu 1a4575f9 f5dadc8f

options
unified split
Changed files
+56 -48
nixos
doc
manual
release-notes
rl-2505.section.md
modules
security
ca.nix
services
audio
gonic.nix
navidrome.nix
continuous-integration
gocd-agent
default.nix
gocd-server
default.nix
mail
postfix.nix
misc
db-rest.nix
gitlab.nix
portunus.nix
radicle.nix
tandoor-recipes.nix
monitoring
ocsinventory-agent.nix
parsedmarc.nix
uptime-kuma.nix
networking
biboumi.nix
privoxy.nix
stunnel.nix
unbound.nix
search
hound.nix
system
nix-daemon.nix
torrent
transmission.nix
web-apps
cryptpad.nix
dex.nix
grav.nix
nextcloud.nix
peertube.nix
sogo.nix
+2
nixos/doc/manual/release-notes/rl-2505.section.md 
···

       
540

       
540

       
 

       



     

       
541

       
541

       
 

       
- `services.avahi.ipv6` now defaults to true.


     

       
542

       
542

       
 

       



     

       

       
543

       
+

       
- All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`.


     

       

       
544

       
+

       



     

       
543

       
545

       
 

       
- hddfancontrol has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes.


     

       
544

       
546

       
 

       



     

       
545

       
547

       
 

       
- The Home Assistant module has new options {option}`services.home-assistant.blueprints.automation`, `services.home-assistant.blueprints.script`, and {option}`services.home-assistant.blueprints.template` that allow for the declarative installation of [blueprints](https://www.home-assistant.io/docs/blueprint/) into the appropriate configuration directories.
+20 -12
nixos/modules/security/ca.nix 
···

       
5

       
5

       
 

       
  ...


     

       
6

       
6

       
 

       
}:


     

       
7

       
7

       
 

       
let


     

       
8

       

       
-

       



     

       
9

       
8

       
 

       
  cfg = config.security.pki;


     

       
10

       
9

       
 

       



     

       
11

       
10

       
 

       
  cacertPackage = pkgs.cacert.override {


     
···

       
88

       
87

       
 

       
      '';


     

       
89

       
88

       
 

       
    };


     

       
90

       
89

       
 

       



     

       

       
90

       
+

       
    security.pki.caBundle = lib.mkOption {


     

       

       
91

       
+

       
      type = lib.types.path;


     

       

       
92

       
+

       
      readOnly = true;


     

       

       
93

       
+

       
      description = ''


     

       

       
94

       
+

       
        (Read-only) the path to the final bundle of certificate authorities as a single file.


     

       

       
95

       
+

       
      '';


     

       

       
96

       
+

       
    };


     

       
91

       
97

       
 

       
  };


     

       
92

       
98

       
 

       



     

       
93

       

       
-

       
  config = lib.mkIf cfg.installCACerts {


     

       

       
99

       
+

       
  config = lib.mkMerge [


     

       

       
100

       
+

       
    (lib.mkIf cfg.installCACerts {


     

       
94

       
101

       
 

       



     

       
95

       

       
-

       
    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.


     

       
96

       

       
-

       
    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;


     

       

       
102

       
+

       
      # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.


     

       

       
103

       
+

       
      environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;


     

       
97

       
104

       
 

       



     

       
98

       

       
-

       
    # Old NixOS compatibility.


     

       
99

       

       
-

       
    environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;


     

       

       
105

       
+

       
      # Old NixOS compatibility.


     

       

       
106

       
+

       
      environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;


     

       
100

       
107

       
 

       



     

       
101

       

       
-

       
    # CentOS/Fedora compatibility.


     

       
102

       

       
-

       
    environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;


     

       

       
108

       
+

       
      # CentOS/Fedora compatibility.


     

       

       
109

       
+

       
      environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;


     

       
103

       
110

       
 

       



     

       
104

       

       
-

       
    # P11-Kit trust source.


     

       
105

       

       
-

       
    environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";


     

       
106

       

       
-

       



     

       
107

       

       
-

       
  };


     

       

       
111

       
+

       
      # P11-Kit trust source.


     

       

       
112

       
+

       
      environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";


     

       

       
113

       
+

       
    })


     

       

       
114

       
+

       
    { security.pki.caBundle = caBundle; }


     

       

       
115

       
+

       
  ];


     

       
108

       
116

       
 

       



     

       
109

       
117

       
 

       
}
+1 -1
nixos/modules/services/audio/gonic.nix 
···

       
59

       
59

       
 

       
        BindReadOnlyPaths = [


     

       
60

       
60

       
 

       
          # gonic can access scrobbling services


     

       
61

       
61

       
 

       
          "-/etc/resolv.conf"


     

       
62

       

       
-

       
          "-/etc/ssl/certs/ca-certificates.crt"


     

       

       
62

       
+

       
          "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"


     

       
63

       
63

       
 

       
          builtins.storeDir


     

       
64

       
64

       
 

       
        ] ++ cfg.settings.music-path


     

       
65

       
65

       
 

       
        ++ lib.optional (cfg.settings.tls-cert != null) cfg.settings.tls-cert
+1 -3
nixos/modules/services/audio/navidrome.nix 
···

       
118

       
118

       
 

       
            BindReadOnlyPaths =


     

       
119

       
119

       
 

       
              [


     

       
120

       
120

       
 

       
                # navidrome uses online services to download additional album metadata / covers


     

       
121

       

       
-

       
                "${


     

       
122

       

       
-

       
                  config.environment.etc."ssl/certs/ca-certificates.crt".source


     

       
123

       

       
-

       
                }:/etc/ssl/certs/ca-certificates.crt"


     

       

       
121

       
+

       
                "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"


     

       
124

       
122

       
 

       
                builtins.storeDir


     

       
125

       
123

       
 

       
                "/etc"


     

       
126

       
124

       
 

       
              ]
+1 -1
nixos/modules/services/continuous-integration/gocd-agent/default.nix 
···

       
213

       
213

       
 

       
        rm -f config/autoregister.properties


     

       
214

       
214

       
 

       
        ln -s "${pkgs.writeText "autoregister.properties" cfg.agentConfig}" config/autoregister.properties


     

       
215

       
215

       
 

       



     

       
216

       

       
-

       
        ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt


     

       

       
216

       
+

       
        ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle}


     

       
217

       
217

       
 

       
        ${pkgs.jre}/bin/java ${lib.concatStringsSep " " cfg.startupOptions} \


     

       
218

       
218

       
 

       
                        ${lib.concatStringsSep " " cfg.extraOptions} \


     

       
219

       
219

       
 

       
                              -jar ${pkgs.gocd-agent}/go-agent/agent-bootstrapper.jar \
+1 -1
nixos/modules/services/continuous-integration/gocd-server/default.nix 
···

       
217

       
217

       
 

       
      path = cfg.packages;


     

       
218

       
218

       
 

       



     

       
219

       
219

       
 

       
      script = ''


     

       
220

       

       
-

       
        ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt


     

       

       
220

       
+

       
        ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle}


     

       
221

       
221

       
 

       
        ${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.startupOptions} \


     

       
222

       
222

       
 

       
                               ${concatStringsSep " " cfg.extraOptions}  \


     

       
223

       
223

       
 

       
                              -jar ${pkgs.gocd-server}/go-server/lib/go.jar
+4 -3
nixos/modules/services/mail/postfix.nix 
···

       
591

       
591

       
 

       



     

       
592

       
592

       
 

       
      tlsTrustedAuthorities = lib.mkOption {


     

       
593

       
593

       
 

       
        type = lib.types.str;


     

       
594

       

       
-

       
        default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";


     

       
595

       

       
-

       
        defaultText = lib.literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"'';


     

       

       
594

       
+

       
        default = config.security.pki.caBundle;


     

       

       
595

       
+

       
        defaultText = lib.literalExpression "config.security.pki.caBundle";


     

       

       
596

       
+

       
        example = lib.literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"'';


     

       
596

       
597

       
 

       
        description = ''


     

       
597

       

       
-

       
          File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities.


     

       

       
598

       
+

       
          File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This sets [smtp_tls_CAfile](https://www.postfix.org/postconf.5.html#smtp_tls_CAfile). Defaults to system trusted certificates (see `security.pki.*` options).


     

       
598

       
599

       
 

       
        '';


     

       
599

       
600

       
 

       
      };


     

       
600

       
601
+1 -1
nixos/modules/services/misc/db-rest.nix 
···

       
162

       
162

       
 

       
        };


     

       
163

       
163

       
 

       
        environment = {


     

       
164

       
164

       
 

       
          NODE_ENV = "production";


     

       
165

       

       
-

       
          NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
165

       
+

       
          NODE_EXTRA_CA_CERTS = config.security.pki.caBundle;


     

       
166

       
166

       
 

       
          HOSTNAME = cfg.host;


     

       
167

       
167

       
 

       
          PORT = toString cfg.port;


     

       
168

       
168

       
 

       
        };
+1 -1
nixos/modules/services/misc/gitlab.nix 
···

       
244

       
244

       
 

       
        ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"}


     

       
245

       
245

       
 

       
        enable_starttls_auto: ${boolToString cfg.smtp.enableStartTLSAuto},


     

       
246

       
246

       
 

       
        tls: ${boolToString cfg.smtp.tls},


     

       
247

       

       
-

       
        ca_file: "/etc/ssl/certs/ca-certificates.crt",


     

       

       
247

       
+

       
        ca_file: "${config.security.pki.caBundle}",


     

       
248

       
248

       
 

       
        openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}'


     

       
249

       
249

       
 

       
      }


     

       
250

       
250

       
 

       
    end
+1 -1
nixos/modules/services/misc/portunus.nix 
···

       
285

       
285

       
 

       
            in


     

       
286

       
286

       
 

       
            {


     

       
287

       
287

       
 

       
              PORTUNUS_SERVER_HTTP_SECURE = "true";


     

       
288

       

       
-

       
              PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
288

       
+

       
              PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = config.security.pki.caBundle;


     

       
289

       
289

       
 

       
              PORTUNUS_SLAPD_TLS_CERTIFICATE = "${acmeDirectory}/cert.pem";


     

       
290

       
290

       
 

       
              PORTUNUS_SLAPD_TLS_DOMAIN_NAME = cfg.domain;


     

       
291

       
291

       
 

       
              PORTUNUS_SLAPD_TLS_PRIVATE_KEY = "${acmeDirectory}/key.pem";
+1 -1
nixos/modules/services/misc/radicle.nix 
···

       
45

       
45

       
 

       
        BindReadOnlyPaths = [


     

       
46

       
46

       
 

       
          "${cfg.configFile}:${env.RAD_HOME}/config.json"


     

       
47

       
47

       
 

       
          "${if lib.types.path.check cfg.publicKey then cfg.publicKey else pkgs.writeText "radicle.pub" cfg.publicKey}:${env.RAD_HOME}/keys/radicle.pub"


     

       

       
48

       
+

       
          "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"


     

       
48

       
49

       
 

       
        ];


     

       
49

       
50

       
 

       
        KillMode = "process";


     

       
50

       
51

       
 

       
        StateDirectory = [ "radicle" ];


     
···

       
57

       
58

       
 

       
      {


     

       
58

       
59

       
 

       
        BindReadOnlyPaths = [


     

       
59

       
60

       
 

       
          "-/etc/resolv.conf"


     

       
60

       

       
-

       
          "/etc/ssl/certs/ca-certificates.crt"


     

       
61

       
61

       
 

       
          "/run/systemd"


     

       
62

       
62

       
 

       
        ];


     

       
63

       
63

       
 

       
        AmbientCapabilities = "";
+1 -3
nixos/modules/services/misc/tandoor-recipes.nix 
···

       
118

       
118

       
 

       
        RuntimeDirectory = "tandoor-recipes";


     

       
119

       
119

       
 

       



     

       
120

       
120

       
 

       
        BindReadOnlyPaths = [


     

       
121

       

       
-

       
          "${


     

       
122

       

       
-

       
            config.environment.etc."ssl/certs/ca-certificates.crt".source


     

       
123

       

       
-

       
          }:/etc/ssl/certs/ca-certificates.crt"


     

       

       
121

       
+

       
          "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"


     

       
124

       
122

       
 

       
          builtins.storeDir


     

       
125

       
123

       
 

       
          "-/etc/resolv.conf"


     

       
126

       
124

       
 

       
          "-/etc/nsswitch.conf"
+2 -2
nixos/modules/services/monitoring/ocsinventory-agent.nix 
···

       
53

       
53

       
 

       



     

       
54

       
54

       
 

       
            ca = lib.mkOption {


     

       
55

       
55

       
 

       
              type = lib.types.path;


     

       
56

       

       
-

       
              default = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
56

       
+

       
              default = config.security.pki.caBundle;


     

       

       
57

       
+

       
              defaultText = lib.literalExpression "config.security.pki.caBundle";


     

       
57

       
58

       
 

       
              description = ''


     

       
58

       
59

       
 

       
                Path to CA certificates file in PEM format, for server


     

       
59

       
60

       
 

       
                SSL certificate validation.


     
···

       
72

       
73

       
 

       
        };


     

       
73

       
74

       
 

       
        default = { };


     

       
74

       
75

       
 

       
        example = {


     

       
75

       

       
-

       
          ca = "/etc/ssl/certs/ca-certificates.crt";


     

       
76

       
76

       
 

       
          debug = true;


     

       
77

       
77

       
 

       
          server = "https://ocsinventory.localhost:8080/ocsinventory";


     

       
78

       
78

       
 

       
          tag = "01234567890123";
+2 -1
nixos/modules/services/monitoring/parsedmarc.nix 
···

       
371

       
371

       
 

       



     

       
372

       
372

       
 

       
            cert_path = lib.mkOption {


     

       
373

       
373

       
 

       
              type = lib.types.path;


     

       
374

       

       
-

       
              default = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
374

       
+

       
              default = config.security.pki.caBundle;


     

       

       
375

       
+

       
              defaultText = lib.literalExpression "config.security.pki.caBundle";


     

       
375

       
376

       
 

       
              description = ''


     

       
376

       
377

       
 

       
                The path to a TLS certificate bundle used to verify


     

       
377

       
378

       
 

       
                the server's certificate.
+1 -1
nixos/modules/services/monitoring/uptime-kuma.nix 
···

       
24

       
24

       
 

       
        default = { };


     

       
25

       
25

       
 

       
        example = {


     

       
26

       
26

       
 

       
          PORT = "4000";


     

       
27

       

       
-

       
          NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
27

       
+

       
          NODE_EXTRA_CA_CERTS = lib.literalExpression "config.security.pki.caBundle";


     

       
28

       
28

       
 

       
        };


     

       
29

       
29

       
 

       
        description = ''


     

       
30

       
30

       
 

       
          Additional configuration for Uptime Kuma, see
+2 -1
nixos/modules/services/networking/biboumi.nix 
···

       
57

       
57

       
 

       
          };


     

       
58

       
58

       
 

       
          options.ca_file = lib.mkOption {


     

       
59

       
59

       
 

       
            type = lib.types.path;


     

       
60

       

       
-

       
            default = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
60

       
+

       
            default = config.security.pki.caBundle;


     

       

       
61

       
+

       
            defaultText = lib.literalExpression "config.security.pki.caBundle";


     

       
61

       
62

       
 

       
            description = ''


     

       
62

       
63

       
 

       
              Specifies which file should be used as the list of trusted CA


     

       
63

       
64

       
 

       
              when negotiating a TLS session.
+1 -2
nixos/modules/services/networking/privoxy.nix 
···

       
282

       
282

       
 

       
        # This allows setting absolute key/crt paths


     

       
283

       
283

       
 

       
        ca-directory = "/var/empty";


     

       
284

       
284

       
 

       
        certificate-directory = "/run/privoxy/certs";


     

       
285

       

       
-

       
        trusted-cas-file = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
285

       
+

       
        trusted-cas-file = config.security.pki.caBundle;


     

       
286

       
286

       
 

       
      });


     

       
287

       

       
-

       



     

       
288

       
287

       
 

       
  };


     

       
289

       
288

       
 

       



     

       
290

       
289

       
 

       
  imports =
+2 -2
nixos/modules/services/networking/stunnel.nix 
···

       
123

       
123

       
 

       
        description = ''


     

       
124

       
124

       
 

       
          Define the client configurations.


     

       
125

       
125

       
 

       



     

       
126

       

       
-

       
          By default, verifyChain and OCSPaia are enabled and a CAFile is provided from pkgs.cacert.


     

       

       
126

       
+

       
          By default, verifyChain and OCSPaia are enabled and CAFile is set to `security.pki.caBundle`.


     

       
127

       
127

       
 

       



     

       
128

       
128

       
 

       
          See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`.


     

       
129

       
129

       
 

       
        '';


     
···

       
144

       
144

       
 

       
            applyDefaults =


     

       
145

       
145

       
 

       
              c:


     

       
146

       
146

       
 

       
              {


     

       
147

       

       
-

       
                CAFile = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";


     

       

       
147

       
+

       
                CAFile = config.security.pki.caBundle;


     

       
148

       
148

       
 

       
                OCSPaia = true;


     

       
149

       
149

       
 

       
                verifyChain = true;


     

       
150

       
150

       
 

       
              }
+1 -1
nixos/modules/services/networking/unbound.nix 
···

       
195

       
195

       
 

       
        interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1"));


     

       
196

       
196

       
 

       
        access-control = mkDefault ([ "127.0.0.0/8 allow" ] ++ (optional config.networking.enableIPv6 "::1/128 allow"));


     

       
197

       
197

       
 

       
        auto-trust-anchor-file = mkIf cfg.enableRootTrustAnchor rootTrustAnchorFile;


     

       
198

       

       
-

       
        tls-cert-bundle = mkDefault "/etc/ssl/certs/ca-certificates.crt";


     

       

       
198

       
+

       
        tls-cert-bundle = mkDefault config.security.pki.caBundle;


     

       
199

       
199

       
 

       
        # prevent race conditions on system startup when interfaces are not yet


     

       
200

       
200

       
 

       
        # configured


     

       
201

       
201

       
 

       
        ip-freebind = mkDefault true;
+1 -1
nixos/modules/services/search/hound.nix 
···

       
118

       
118

       
 

       
        User = cfg.user;


     

       
119

       
119

       
 

       
        Group = cfg.group;


     

       
120

       
120

       
 

       
        WorkingDirectory = cfg.home;


     

       
121

       

       
-

       
        ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo /etc/ssl/certs/ca-certificates.crt";


     

       

       
121

       
+

       
        ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo ${config.security.pki.caBundle}";


     

       
122

       
122

       
 

       
        ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf /etc/hound/config.json";


     

       
123

       
123

       
 

       
      };


     

       
124

       
124

       
 

       
    };
+1 -1
nixos/modules/services/system/nix-daemon.nix 
···

       
218

       
218

       
 

       
      environment =


     

       
219

       
219

       
 

       
        cfg.envVars


     

       
220

       
220

       
 

       
        // {


     

       
221

       

       
-

       
          CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
221

       
+

       
          CURL_CA_BUNDLE = config.security.pki.caBundle;


     

       
222

       
222

       
 

       
        }


     

       
223

       
223

       
 

       
        // config.networking.proxy.envVars;


     

       
224

       
224
+1 -1
nixos/modules/services/torrent/transmission.nix 
···

       
361

       
361

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
362

       
362

       
 

       



     

       
363

       
363

       
 

       
      environment = {


     

       
364

       

       
-

       
        CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source;


     

       

       
364

       
+

       
        CURL_CA_BUNDLE = config.security.pki.caBundle;


     

       
365

       
365

       
 

       
        TRANSMISSION_WEB_HOME = lib.mkIf (cfg.webHome != null) cfg.webHome;


     

       
366

       
366

       
 

       
      };


     

       
367

       
367
+1 -1
nixos/modules/services/web-apps/cryptpad.nix 
···

       
239

       
239

       
 

       
            "-/etc/resolv.conf"


     

       
240

       
240

       
 

       
            "-/run/systemd"


     

       
241

       
241

       
 

       
            "/etc/hosts"


     

       
242

       

       
-

       
            "/etc/ssl/certs/ca-certificates.crt"


     

       

       
242

       
+

       
            "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"


     

       
243

       
243

       
 

       
          ];


     

       
244

       
244

       
 

       
        };


     

       
245

       
245

       
 

       
      };
+1 -1
nixos/modules/services/web-apps/dex.nix 
···

       
117

       
117

       
 

       
            "-/etc/localtime"


     

       
118

       
118

       
 

       
            "-/etc/nsswitch.conf"


     

       
119

       
119

       
 

       
            "-/etc/resolv.conf"


     

       
120

       

       
-

       
            "-/etc/ssl/certs/ca-certificates.crt"


     

       

       
120

       
+

       
            "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"


     

       
121

       
121

       
 

       
          ];


     

       
122

       
122

       
 

       
          BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql";


     

       
123

       
123

       
 

       
          # ProtectClock= adds DeviceAllow=char-rtc r
+1 -1
nixos/modules/services/web-apps/grav.nix 
···

       
132

       
132

       
 

       
            "opcache.memory_consumption" = "128";


     

       
133

       
133

       
 

       
            "opcache.revalidate_freq" = "1";


     

       
134

       
134

       
 

       
            "opcache.fast_shutdown" = "1";


     

       
135

       

       
-

       
            "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
135

       
+

       
            "openssl.cafile" = config.security.pki.caBundle;


     

       
136

       
136

       
 

       
            catch_workers_output = "yes";


     

       
137

       
137

       
 

       



     

       
138

       
138

       
 

       
            upload_max_filesize = cfg.maxUploadSize;
+2 -2
nixos/modules/services/web-apps/nextcloud.nix 
···

       
19

       
19

       
 

       
    "opcache.memory_consumption" = "128";


     

       
20

       
20

       
 

       
    "opcache.revalidate_freq" = "1";


     

       
21

       
21

       
 

       
    "opcache.fast_shutdown" = "1";


     

       
22

       

       
-

       
    "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
22

       
+

       
    "openssl.cafile" = config.security.pki.caBundle;


     

       
23

       
23

       
 

       
    catch_workers_output = "yes";


     

       
24

       
24

       
 

       
  };


     

       
25

       
25

       
 

       



     
···

       
400

       
400

       
 

       



     

       
401

       
401

       
 

       
    phpOptions = mkOption {


     

       
402

       
402

       
 

       
      type = with types; attrsOf (oneOf [ str int ]);


     

       
403

       

       
-

       
      defaultText = literalExpression (generators.toPretty { } defaultPHPSettings);


     

       

       
403

       
+

       
      defaultText = literalExpression (generators.toPretty { } (defaultPHPSettings // { "openssl.cafile" = literalExpression "config.security.pki.caBundle"; }));


     

       
404

       
404

       
 

       
      description = ''


     

       
405

       
405

       
 

       
        Options for PHP's php.ini file for nextcloud.


     

       
406

       
406
+1 -1
nixos/modules/services/web-apps/peertube.nix 
···

       
16

       
16

       
 

       
  env = {


     

       
17

       
17

       
 

       
    NODE_CONFIG_DIR = "/var/lib/peertube/config";


     

       
18

       
18

       
 

       
    NODE_ENV = "production";


     

       
19

       

       
-

       
    NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
19

       
+

       
    NODE_EXTRA_CA_CERTS = config.security.pki.caBundle;


     

       
20

       
20

       
 

       
    NPM_CONFIG_CACHE = "/var/cache/peertube/.npm";


     

       
21

       
21

       
 

       
    NPM_CONFIG_PREFIX = cfg.package;


     

       
22

       
22

       
 

       
    HOME = cfg.package;
+1 -1
nixos/modules/services/web-apps/sogo.nix 
···

       
113

       
113

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
114

       
114

       
 

       
      restartTriggers = [ config.environment.etc."sogo/sogo.conf.raw".source ];


     

       
115

       
115

       
 

       



     

       
116

       

       
-

       
      environment.LDAPTLS_CACERT = "/etc/ssl/certs/ca-certificates.crt";


     

       

       
116

       
+

       
      environment.LDAPTLS_CACERT = config.security.pki.caBundle;


     

       
117

       
117

       
 

       



     

       
118

       
118

       
 

       
      serviceConfig = {


     

       
119

       
119

       
 

       
        Type = "forking";