pyrox.dev / nixpkgs
lol
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244)

Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:

- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`

Co-authored-by: Shelvacu <git@shelvacu.com>

authored by

shelvacu
Shelvacu and committed by
GitHub 1a4575f9 f5dadc8f

+56 -48
+2
nixos/doc/manual/release-notes/rl-2505.section.md
··· 540 540 541 541 - `services.avahi.ipv6` now defaults to true. 542 542 543 + - All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`. 544 + 543 545 - hddfancontrol has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes. 544 546 545 547 - The Home Assistant module has new options {option}`services.home-assistant.blueprints.automation`, `services.home-assistant.blueprints.script`, and {option}`services.home-assistant.blueprints.template` that allow for the declarative installation of [blueprints](https://www.home-assistant.io/docs/blueprint/) into the appropriate configuration directories.
+20 -12
nixos/modules/security/ca.nix
··· 5 5 ... 6 6 }: 7 7 let 8 - 9 8 cfg = config.security.pki; 10 9 11 10 cacertPackage = pkgs.cacert.override { ··· 88 87 ''; 89 88 }; 90 89 90 + security.pki.caBundle = lib.mkOption { 91 + type = lib.types.path; 92 + readOnly = true; 93 + description = '' 94 + (Read-only) the path to the final bundle of certificate authorities as a single file. 95 + ''; 96 + }; 91 97 }; 92 98 93 - config = lib.mkIf cfg.installCACerts { 99 + config = lib.mkMerge [ 100 + (lib.mkIf cfg.installCACerts { 94 101 95 - # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. 96 - environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; 102 + # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. 103 + environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; 97 104 98 - # Old NixOS compatibility. 99 - environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; 105 + # Old NixOS compatibility. 106 + environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; 100 107 101 - # CentOS/Fedora compatibility. 102 - environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; 108 + # CentOS/Fedora compatibility. 109 + environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; 103 110 104 - # P11-Kit trust source. 105 - environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source"; 106 - 107 - }; 111 + # P11-Kit trust source. 112 + environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source"; 113 + }) 114 + { security.pki.caBundle = caBundle; } 115 + ]; 108 116 109 117 }
+1 -1
nixos/modules/services/audio/gonic.nix
··· 59 59 BindReadOnlyPaths = [ 60 60 # gonic can access scrobbling services 61 61 "-/etc/resolv.conf" 62 - "-/etc/ssl/certs/ca-certificates.crt" 62 + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" 63 63 builtins.storeDir 64 64 ] ++ cfg.settings.music-path 65 65 ++ lib.optional (cfg.settings.tls-cert != null) cfg.settings.tls-cert
+1 -3
nixos/modules/services/audio/navidrome.nix
··· 118 118 BindReadOnlyPaths = 119 119 [ 120 120 # navidrome uses online services to download additional album metadata / covers 121 - "${ 122 - config.environment.etc."ssl/certs/ca-certificates.crt".source 123 - }:/etc/ssl/certs/ca-certificates.crt" 121 + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" 124 122 builtins.storeDir 125 123 "/etc" 126 124 ]
+1 -1
nixos/modules/services/continuous-integration/gocd-agent/default.nix
··· 213 213 rm -f config/autoregister.properties 214 214 ln -s "${pkgs.writeText "autoregister.properties" cfg.agentConfig}" config/autoregister.properties 215 215 216 - ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt 216 + ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle} 217 217 ${pkgs.jre}/bin/java ${lib.concatStringsSep " " cfg.startupOptions} \ 218 218 ${lib.concatStringsSep " " cfg.extraOptions} \ 219 219 -jar ${pkgs.gocd-agent}/go-agent/agent-bootstrapper.jar \
+1 -1
nixos/modules/services/continuous-integration/gocd-server/default.nix
··· 217 217 path = cfg.packages; 218 218 219 219 script = '' 220 - ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt 220 + ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle} 221 221 ${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.startupOptions} \ 222 222 ${concatStringsSep " " cfg.extraOptions} \ 223 223 -jar ${pkgs.gocd-server}/go-server/lib/go.jar
+4 -3
nixos/modules/services/mail/postfix.nix
··· 591 591 592 592 tlsTrustedAuthorities = lib.mkOption { 593 593 type = lib.types.str; 594 - default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; 595 - defaultText = lib.literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"''; 594 + default = config.security.pki.caBundle; 595 + defaultText = lib.literalExpression "config.security.pki.caBundle"; 596 + example = lib.literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"''; 596 597 description = '' 597 - File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities. 598 + File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This sets [smtp_tls_CAfile](https://www.postfix.org/postconf.5.html#smtp_tls_CAfile). Defaults to system trusted certificates (see `security.pki.*` options). 598 599 ''; 599 600 }; 600 601
+1 -1
nixos/modules/services/misc/db-rest.nix
··· 162 162 }; 163 163 environment = { 164 164 NODE_ENV = "production"; 165 - NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt"; 165 + NODE_EXTRA_CA_CERTS = config.security.pki.caBundle; 166 166 HOSTNAME = cfg.host; 167 167 PORT = toString cfg.port; 168 168 };
+1 -1
nixos/modules/services/misc/gitlab.nix
··· 244 244 ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"} 245 245 enable_starttls_auto: ${boolToString cfg.smtp.enableStartTLSAuto}, 246 246 tls: ${boolToString cfg.smtp.tls}, 247 - ca_file: "/etc/ssl/certs/ca-certificates.crt", 247 + ca_file: "${config.security.pki.caBundle}", 248 248 openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}' 249 249 } 250 250 end
+1 -1
nixos/modules/services/misc/portunus.nix
··· 285 285 in 286 286 { 287 287 PORTUNUS_SERVER_HTTP_SECURE = "true"; 288 - PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = "/etc/ssl/certs/ca-certificates.crt"; 288 + PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = config.security.pki.caBundle; 289 289 PORTUNUS_SLAPD_TLS_CERTIFICATE = "${acmeDirectory}/cert.pem"; 290 290 PORTUNUS_SLAPD_TLS_DOMAIN_NAME = cfg.domain; 291 291 PORTUNUS_SLAPD_TLS_PRIVATE_KEY = "${acmeDirectory}/key.pem";
+1 -1
nixos/modules/services/misc/radicle.nix
··· 45 45 BindReadOnlyPaths = [ 46 46 "${cfg.configFile}:${env.RAD_HOME}/config.json" 47 47 "${if lib.types.path.check cfg.publicKey then cfg.publicKey else pkgs.writeText "radicle.pub" cfg.publicKey}:${env.RAD_HOME}/keys/radicle.pub" 48 + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" 48 49 ]; 49 50 KillMode = "process"; 50 51 StateDirectory = [ "radicle" ]; ··· 57 58 { 58 59 BindReadOnlyPaths = [ 59 60 "-/etc/resolv.conf" 60 - "/etc/ssl/certs/ca-certificates.crt" 61 61 "/run/systemd" 62 62 ]; 63 63 AmbientCapabilities = "";
+1 -3
nixos/modules/services/misc/tandoor-recipes.nix
··· 118 118 RuntimeDirectory = "tandoor-recipes"; 119 119 120 120 BindReadOnlyPaths = [ 121 - "${ 122 - config.environment.etc."ssl/certs/ca-certificates.crt".source 123 - }:/etc/ssl/certs/ca-certificates.crt" 121 + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" 124 122 builtins.storeDir 125 123 "-/etc/resolv.conf" 126 124 "-/etc/nsswitch.conf"
+2 -2
nixos/modules/services/monitoring/ocsinventory-agent.nix
··· 53 53 54 54 ca = lib.mkOption { 55 55 type = lib.types.path; 56 - default = "/etc/ssl/certs/ca-certificates.crt"; 56 + default = config.security.pki.caBundle; 57 + defaultText = lib.literalExpression "config.security.pki.caBundle"; 57 58 description = '' 58 59 Path to CA certificates file in PEM format, for server 59 60 SSL certificate validation. ··· 72 73 }; 73 74 default = { }; 74 75 example = { 75 - ca = "/etc/ssl/certs/ca-certificates.crt"; 76 76 debug = true; 77 77 server = "https://ocsinventory.localhost:8080/ocsinventory"; 78 78 tag = "01234567890123";
+2 -1
nixos/modules/services/monitoring/parsedmarc.nix
··· 371 371 372 372 cert_path = lib.mkOption { 373 373 type = lib.types.path; 374 - default = "/etc/ssl/certs/ca-certificates.crt"; 374 + default = config.security.pki.caBundle; 375 + defaultText = lib.literalExpression "config.security.pki.caBundle"; 375 376 description = '' 376 377 The path to a TLS certificate bundle used to verify 377 378 the server's certificate.
+1 -1
nixos/modules/services/monitoring/uptime-kuma.nix
··· 24 24 default = { }; 25 25 example = { 26 26 PORT = "4000"; 27 - NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt"; 27 + NODE_EXTRA_CA_CERTS = lib.literalExpression "config.security.pki.caBundle"; 28 28 }; 29 29 description = '' 30 30 Additional configuration for Uptime Kuma, see
+2 -1
nixos/modules/services/networking/biboumi.nix
··· 57 57 }; 58 58 options.ca_file = lib.mkOption { 59 59 type = lib.types.path; 60 - default = "/etc/ssl/certs/ca-certificates.crt"; 60 + default = config.security.pki.caBundle; 61 + defaultText = lib.literalExpression "config.security.pki.caBundle"; 61 62 description = '' 62 63 Specifies which file should be used as the list of trusted CA 63 64 when negotiating a TLS session.
+1 -2
nixos/modules/services/networking/privoxy.nix
··· 282 282 # This allows setting absolute key/crt paths 283 283 ca-directory = "/var/empty"; 284 284 certificate-directory = "/run/privoxy/certs"; 285 - trusted-cas-file = "/etc/ssl/certs/ca-certificates.crt"; 285 + trusted-cas-file = config.security.pki.caBundle; 286 286 }); 287 - 288 287 }; 289 288 290 289 imports =
+2 -2
nixos/modules/services/networking/stunnel.nix
··· 123 123 description = '' 124 124 Define the client configurations. 125 125 126 - By default, verifyChain and OCSPaia are enabled and a CAFile is provided from pkgs.cacert. 126 + By default, verifyChain and OCSPaia are enabled and CAFile is set to `security.pki.caBundle`. 127 127 128 128 See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`. 129 129 ''; ··· 144 144 applyDefaults = 145 145 c: 146 146 { 147 - CAFile = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; 147 + CAFile = config.security.pki.caBundle; 148 148 OCSPaia = true; 149 149 verifyChain = true; 150 150 }
+1 -1
nixos/modules/services/networking/unbound.nix
··· 195 195 interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); 196 196 access-control = mkDefault ([ "127.0.0.0/8 allow" ] ++ (optional config.networking.enableIPv6 "::1/128 allow")); 197 197 auto-trust-anchor-file = mkIf cfg.enableRootTrustAnchor rootTrustAnchorFile; 198 - tls-cert-bundle = mkDefault "/etc/ssl/certs/ca-certificates.crt"; 198 + tls-cert-bundle = mkDefault config.security.pki.caBundle; 199 199 # prevent race conditions on system startup when interfaces are not yet 200 200 # configured 201 201 ip-freebind = mkDefault true;
+1 -1
nixos/modules/services/search/hound.nix
··· 118 118 User = cfg.user; 119 119 Group = cfg.group; 120 120 WorkingDirectory = cfg.home; 121 - ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo /etc/ssl/certs/ca-certificates.crt"; 121 + ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo ${config.security.pki.caBundle}"; 122 122 ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf /etc/hound/config.json"; 123 123 }; 124 124 };
+1 -1
nixos/modules/services/system/nix-daemon.nix
··· 218 218 environment = 219 219 cfg.envVars 220 220 // { 221 - CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; 221 + CURL_CA_BUNDLE = config.security.pki.caBundle; 222 222 } 223 223 // config.networking.proxy.envVars; 224 224
+1 -1
nixos/modules/services/torrent/transmission.nix
··· 361 361 wantedBy = [ "multi-user.target" ]; 362 362 363 363 environment = { 364 - CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; 364 + CURL_CA_BUNDLE = config.security.pki.caBundle; 365 365 TRANSMISSION_WEB_HOME = lib.mkIf (cfg.webHome != null) cfg.webHome; 366 366 }; 367 367
+1 -1
nixos/modules/services/web-apps/cryptpad.nix
··· 239 239 "-/etc/resolv.conf" 240 240 "-/run/systemd" 241 241 "/etc/hosts" 242 - "/etc/ssl/certs/ca-certificates.crt" 242 + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" 243 243 ]; 244 244 }; 245 245 };
+1 -1
nixos/modules/services/web-apps/dex.nix
··· 117 117 "-/etc/localtime" 118 118 "-/etc/nsswitch.conf" 119 119 "-/etc/resolv.conf" 120 - "-/etc/ssl/certs/ca-certificates.crt" 120 + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" 121 121 ]; 122 122 BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql"; 123 123 # ProtectClock= adds DeviceAllow=char-rtc r
+1 -1
nixos/modules/services/web-apps/grav.nix
··· 132 132 "opcache.memory_consumption" = "128"; 133 133 "opcache.revalidate_freq" = "1"; 134 134 "opcache.fast_shutdown" = "1"; 135 - "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; 135 + "openssl.cafile" = config.security.pki.caBundle; 136 136 catch_workers_output = "yes"; 137 137 138 138 upload_max_filesize = cfg.maxUploadSize;
+2 -2
nixos/modules/services/web-apps/nextcloud.nix
··· 19 19 "opcache.memory_consumption" = "128"; 20 20 "opcache.revalidate_freq" = "1"; 21 21 "opcache.fast_shutdown" = "1"; 22 - "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; 22 + "openssl.cafile" = config.security.pki.caBundle; 23 23 catch_workers_output = "yes"; 24 24 }; 25 25 ··· 400 400 401 401 phpOptions = mkOption { 402 402 type = with types; attrsOf (oneOf [ str int ]); 403 - defaultText = literalExpression (generators.toPretty { } defaultPHPSettings); 403 + defaultText = literalExpression (generators.toPretty { } (defaultPHPSettings // { "openssl.cafile" = literalExpression "config.security.pki.caBundle"; })); 404 404 description = '' 405 405 Options for PHP's php.ini file for nextcloud. 406 406
+1 -1
nixos/modules/services/web-apps/peertube.nix
··· 16 16 env = { 17 17 NODE_CONFIG_DIR = "/var/lib/peertube/config"; 18 18 NODE_ENV = "production"; 19 - NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt"; 19 + NODE_EXTRA_CA_CERTS = config.security.pki.caBundle; 20 20 NPM_CONFIG_CACHE = "/var/cache/peertube/.npm"; 21 21 NPM_CONFIG_PREFIX = cfg.package; 22 22 HOME = cfg.package;
+1 -1
nixos/modules/services/web-apps/sogo.nix
··· 113 113 wantedBy = [ "multi-user.target" ]; 114 114 restartTriggers = [ config.environment.etc."sogo/sogo.conf.raw".source ]; 115 115 116 - environment.LDAPTLS_CACERT = "/etc/ssl/certs/ca-certificates.crt"; 116 + environment.LDAPTLS_CACERT = config.security.pki.caBundle; 117 117 118 118 serviceConfig = { 119 119 Type = "forking";