Unverified Commit 1a4575f9 authored by shelvacu's avatar shelvacu Committed by GitHub
Browse files

nixos/modules: Add security.pki.caBundle option and make all services use it... 


nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244)

Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:

- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`

Co-authored-by: default avatarShelvacu <git@shelvacu.com>
parent f5dadc8f

nixos/doc/manual/release-notes/rl-2505.section.md

+2 −0
Original line number Diff line number Diff line
@@ -540,6 +540,8 @@ 


- `services.avahi.ipv6` now defaults to true.



- All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`.



- hddfancontrol has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes.



- The Home Assistant module has new options {option}`services.home-assistant.blueprints.automation`, `services.home-assistant.blueprints.script`, and {option}`services.home-assistant.blueprints.template` that allow for the declarative installation of [blueprints](https://www.home-assistant.io/docs/blueprint/) into the appropriate configuration directories.

nixos/modules/security/ca.nix

+20 −12
Original line number Diff line number Diff line
@@ -5,7 +5,6 @@ 
  ...

}:

let



  cfg = config.security.pki;



  cacertPackage = pkgs.cacert.override {
@@ -88,9 +87,17 @@ in 
      '';

    };



    security.pki.caBundle = lib.mkOption {

      type = lib.types.path;

      readOnly = true;

      description = ''

        (Read-only) the path to the final bundle of certificate authorities as a single file.

      '';

    };

  };



  config = lib.mkIf cfg.installCACerts {

  config = lib.mkMerge [

    (lib.mkIf cfg.installCACerts {



      # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.

      environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
@@ -103,7 +110,8 @@ in 


      # P11-Kit trust source.

      environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";



  };

    })

    { security.pki.caBundle = caBundle; }

  ];



}

nixos/modules/services/audio/gonic.nix

+1 −1
Original line number Diff line number Diff line
@@ -59,7 +59,7 @@ in 
        BindReadOnlyPaths = [

          # gonic can access scrobbling services

          "-/etc/resolv.conf"

          "-/etc/ssl/certs/ca-certificates.crt"

          "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"

          builtins.storeDir

        ] ++ cfg.settings.music-path

        ++ lib.optional (cfg.settings.tls-cert != null) cfg.settings.tls-cert

nixos/modules/services/audio/navidrome.nix

+1 −3
Original line number Diff line number Diff line
@@ -118,9 +118,7 @@ in 
            BindReadOnlyPaths =

              [

                # navidrome uses online services to download additional album metadata / covers

                "${

                  config.environment.etc."ssl/certs/ca-certificates.crt".source

                }:/etc/ssl/certs/ca-certificates.crt"

                "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"

                builtins.storeDir

                "/etc"

              ]

nixos/modules/services/continuous-integration/gocd-agent/default.nix

+1 −1
Original line number Diff line number Diff line
@@ -213,7 +213,7 @@ in 
        rm -f config/autoregister.properties

        ln -s "${pkgs.writeText "autoregister.properties" cfg.agentConfig}" config/autoregister.properties



        ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt

        ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle}

        ${pkgs.jre}/bin/java ${lib.concatStringsSep " " cfg.startupOptions} \

                        ${lib.concatStringsSep " " cfg.extraOptions} \

                              -jar ${pkgs.gocd-agent}/go-agent/agent-bootstrapper.jar \