diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index a0600247bcd13a..6c30a5bd46c9a7 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -742,6 +742,8 @@ - `xxd` is now provided by the `tinyxxd` package, rather than `vim.xxd`, to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim's `xxd` utility, there is no user impact. Vim's `xxd` remains available as the `vim.xxd` package. +- All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`. + - `prometheus-openldap-exporter` was removed since it was unmaintained upstream and had no nixpkgs maintainers. - `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.restic.backups..inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep). diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 76c1010f419902..400fdf06737f2f 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -3,7 +3,6 @@ with lib; let - cfg = config.security.pki; cacertPackage = pkgs.cacert.override { @@ -85,6 +84,14 @@ in ''; }; + security.pki.caBundle = mkOption { + type = types.path; + default = caBundle; + readOnly = true; + description = '' + (Read-only) the path to the final bundle of certificate authorities as a single file. + ''; + }; }; config = mkIf cfg.installCACerts { diff --git a/nixos/modules/services/audio/gonic.nix b/nixos/modules/services/audio/gonic.nix index 15a35571acbabc..89f89f3f193391 100644 --- a/nixos/modules/services/audio/gonic.nix +++ b/nixos/modules/services/audio/gonic.nix @@ -61,7 +61,7 @@ in BindReadOnlyPaths = [ # gonic can access scrobbling services "-/etc/resolv.conf" - "-/etc/ssl/certs/ca-certificates.crt" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir cfg.settings.podcast-path ] ++ cfg.settings.music-path diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix index 06d2d174a4df3a..3298c981a3ba07 100644 --- a/nixos/modules/services/audio/navidrome.nix +++ b/nixos/modules/services/audio/navidrome.nix @@ -111,9 +111,7 @@ in ++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder; BindReadOnlyPaths = [ # navidrome uses online services to download additional album metadata / covers - "${ - config.environment.etc."ssl/certs/ca-certificates.crt".source - }:/etc/ssl/certs/ca-certificates.crt" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir "/etc" ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; diff --git a/nixos/modules/services/continuous-integration/gocd-agent/default.nix b/nixos/modules/services/continuous-integration/gocd-agent/default.nix index 0e61b253f17ee1..2daedd506dd625 100644 --- a/nixos/modules/services/continuous-integration/gocd-agent/default.nix +++ b/nixos/modules/services/continuous-integration/gocd-agent/default.nix @@ -200,7 +200,7 @@ in { rm -f config/autoregister.properties ln -s "${pkgs.writeText "autoregister.properties" cfg.agentConfig}" config/autoregister.properties - ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt + ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle} ${pkgs.jre}/bin/java ${concatStringsSep " " cfg.startupOptions} \ ${concatStringsSep " " cfg.extraOptions} \ -jar ${pkgs.gocd-agent}/go-agent/agent-bootstrapper.jar \ diff --git a/nixos/modules/services/continuous-integration/gocd-server/default.nix b/nixos/modules/services/continuous-integration/gocd-server/default.nix index a1fb740c269d59..8a7cafb8bb5d0a 100644 --- a/nixos/modules/services/continuous-integration/gocd-server/default.nix +++ b/nixos/modules/services/continuous-integration/gocd-server/default.nix @@ -200,7 +200,7 @@ in { path = cfg.packages; script = '' - ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt + ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle} ${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.startupOptions} \ ${concatStringsSep " " cfg.extraOptions} \ -jar ${pkgs.gocd-server}/go-server/lib/go.jar diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 244ce49ee63bbf..c276b6af50fec9 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -501,10 +501,11 @@ in tlsTrustedAuthorities = lib.mkOption { type = lib.types.str; - default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - defaultText = lib.literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"''; + default = config.security.pki.caBundle; + defaultText = lib.literalExpression "config.security.pki.caBundle"; + example = lib.literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"''; description = '' - File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities. + File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This sets [smtp_tls_CAfile](https://www.postfix.org/postconf.5.html#smtp_tls_CAfile). Defaults to system trusted certificates (see `security.pki.*` options). ''; }; diff --git a/nixos/modules/services/misc/db-rest.nix b/nixos/modules/services/misc/db-rest.nix index fbf8b327af049a..ef155123634ee0 100644 --- a/nixos/modules/services/misc/db-rest.nix +++ b/nixos/modules/services/misc/db-rest.nix @@ -141,7 +141,7 @@ in }; environment = { NODE_ENV = "production"; - NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt"; + NODE_EXTRA_CA_CERTS = config.security.pki.caBundle; HOSTNAME = cfg.host; PORT = toString cfg.port; }; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index ecbc087f739fd4..7a808bd817bc1f 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -241,7 +241,7 @@ let ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"} enable_starttls_auto: ${boolToString cfg.smtp.enableStartTLSAuto}, tls: ${boolToString cfg.smtp.tls}, - ca_file: "/etc/ssl/certs/ca-certificates.crt", + ca_file: "${config.security.pki.caBundle}", openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}' } end diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index 20486f0212f7b0..9920e8f7e11f92 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -266,7 +266,7 @@ in in { PORTUNUS_SERVER_HTTP_SECURE = "true"; - PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = "/etc/ssl/certs/ca-certificates.crt"; + PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = config.security.pki.caBundle; PORTUNUS_SLAPD_TLS_CERTIFICATE = "${acmeDirectory}/cert.pem"; PORTUNUS_SLAPD_TLS_DOMAIN_NAME = cfg.domain; PORTUNUS_SLAPD_TLS_PRIVATE_KEY = "${acmeDirectory}/key.pem"; diff --git a/nixos/modules/services/misc/radicle.nix b/nixos/modules/services/misc/radicle.nix index cd7a2452223aca..e849c8dee817f8 100644 --- a/nixos/modules/services/misc/radicle.nix +++ b/nixos/modules/services/misc/radicle.nix @@ -45,6 +45,7 @@ let BindReadOnlyPaths = [ "${cfg.configFile}:${env.RAD_HOME}/config.json" "${if lib.types.path.check cfg.publicKey then cfg.publicKey else pkgs.writeText "radicle.pub" cfg.publicKey}:${env.RAD_HOME}/keys/radicle.pub" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" ]; KillMode = "process"; StateDirectory = [ "radicle" ]; @@ -57,7 +58,6 @@ let { BindReadOnlyPaths = [ "-/etc/resolv.conf" - "/etc/ssl/certs/ca-certificates.crt" "/run/systemd" ]; AmbientCapabilities = ""; diff --git a/nixos/modules/services/misc/tandoor-recipes.nix b/nixos/modules/services/misc/tandoor-recipes.nix index 1c903d280378ef..d8f5da9a98867b 100644 --- a/nixos/modules/services/misc/tandoor-recipes.nix +++ b/nixos/modules/services/misc/tandoor-recipes.nix @@ -92,7 +92,7 @@ in RuntimeDirectory = "tandoor-recipes"; BindReadOnlyPaths = [ - "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir "-/etc/resolv.conf" "-/etc/nsswitch.conf" diff --git a/nixos/modules/services/monitoring/ocsinventory-agent.nix b/nixos/modules/services/monitoring/ocsinventory-agent.nix index 591738ed4ef789..36168d6f148743 100644 --- a/nixos/modules/services/monitoring/ocsinventory-agent.nix +++ b/nixos/modules/services/monitoring/ocsinventory-agent.nix @@ -48,7 +48,8 @@ in ca = lib.mkOption { type = lib.types.path; - default = "/etc/ssl/certs/ca-certificates.crt"; + default = config.security.pki.caBundle; + defaultText = lib.literalString "config.security.pki.caBundle"; description = '' Path to CA certificates file in PEM format, for server SSL certificate validation. @@ -67,7 +68,6 @@ in }; default = { }; example = { - ca = "/etc/ssl/certs/ca-certificates.crt"; debug = true; server = "https://ocsinventory.localhost:8080/ocsinventory"; tag = "01234567890123"; diff --git a/nixos/modules/services/monitoring/parsedmarc.nix b/nixos/modules/services/monitoring/parsedmarc.nix index a14ade59c29eb8..2d61f05a643efe 100644 --- a/nixos/modules/services/monitoring/parsedmarc.nix +++ b/nixos/modules/services/monitoring/parsedmarc.nix @@ -350,7 +350,8 @@ in cert_path = lib.mkOption { type = lib.types.path; - default = "/etc/ssl/certs/ca-certificates.crt"; + default = config.security.pki.caBundle; + defaultText = lib.literalString "config.security.pki.caBundle"; description = '' The path to a TLS certificate bundle used to verify the server's certificate. diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix index 4c7dd900f52b6b..1a38df44465c42 100644 --- a/nixos/modules/services/monitoring/uptime-kuma.nix +++ b/nixos/modules/services/monitoring/uptime-kuma.nix @@ -22,7 +22,7 @@ in default = { }; example = { PORT = "4000"; - NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt"; + NODE_EXTRA_CA_CERTS = config.security.pki.caBundle; }; description = '' Additional configuration for Uptime Kuma, see diff --git a/nixos/modules/services/networking/biboumi.nix b/nixos/modules/services/networking/biboumi.nix index 33cb1d95bc51fd..c962250cb8d903 100644 --- a/nixos/modules/services/networking/biboumi.nix +++ b/nixos/modules/services/networking/biboumi.nix @@ -40,7 +40,8 @@ in }; options.ca_file = lib.mkOption { type = lib.types.path; - default = "/etc/ssl/certs/ca-certificates.crt"; + default = config.security.pki.caBundle; + defaultText = lib.literalString "config.security.pki.caBundle"; description = '' Specifies which file should be used as the list of trusted CA when negotiating a TLS session. diff --git a/nixos/modules/services/networking/gateone.nix b/nixos/modules/services/networking/gateone.nix index 83a7ea24859438..895b2257fc9aff 100644 --- a/nixos/modules/services/networking/gateone.nix +++ b/nixos/modules/services/networking/gateone.nix @@ -19,9 +19,6 @@ options = { }; }; config = lib.mkIf cfg.enable { - environment.systemPackages = with pkgs.pythonPackages; [ - gateone pkgs.openssh pkgs.procps pkgs.coreutils pkgs.cacert]; - users.users.gateone = { description = "GateOne privilege separation user"; uid = config.ids.uids.gateone; @@ -29,9 +26,9 @@ config = lib.mkIf cfg.enable { }; users.groups.gateone.gid = config.ids.gids.gateone; - systemd.services.gateone = with pkgs; { + systemd.services.gateone = { description = "GateOne web-based terminal"; - path = [ pythonPackages.gateone nix openssh procps coreutils ]; + path = with pkgs; [ pythonPackages.gateone nix openssh procps coreutils ]; preStart = '' if [ ! -d ${cfg.settingsDir} ] ; then mkdir -m 0750 -p ${cfg.settingsDir} @@ -44,7 +41,7 @@ config = lib.mkIf cfg.enable { ''; #unitConfig.RequiresMountsFor = "${cfg.settingsDir}"; serviceConfig = { - ExecStart = ''${pythonPackages.gateone}/bin/gateone --settings_dir=${cfg.settingsDir} --pid_file=${cfg.pidDir}/gateone.pid --gid=${toString config.ids.gids.gateone} --uid=${toString config.ids.uids.gateone}''; + ExecStart = ''${pkgs.pythonPackages.gateone}/bin/gateone --settings_dir=${cfg.settingsDir} --pid_file=${cfg.pidDir}/gateone.pid --gid=${toString config.ids.gids.gateone} --uid=${toString config.ids.uids.gateone}''; User = "gateone"; Group = "gateone"; WorkingDirectory = cfg.settingsDir; diff --git a/nixos/modules/services/networking/privoxy.nix b/nixos/modules/services/networking/privoxy.nix index d40dd603085a9c..2d18eaa80e816a 100644 --- a/nixos/modules/services/networking/privoxy.nix +++ b/nixos/modules/services/networking/privoxy.nix @@ -253,7 +253,7 @@ in # This allows setting absolute key/crt paths ca-directory = "/var/empty"; certificate-directory = "/run/privoxy/certs"; - trusted-cas-file = "/etc/ssl/certs/ca-certificates.crt"; + trusted-cas-file = config.security.pki.caBundle; }); }; diff --git a/nixos/modules/services/networking/stunnel.nix b/nixos/modules/services/networking/stunnel.nix index 9f9068c8e0779c..682462fbabb8f1 100644 --- a/nixos/modules/services/networking/stunnel.nix +++ b/nixos/modules/services/networking/stunnel.nix @@ -97,7 +97,7 @@ in description = '' Define the client configurations. - By default, verifyChain and OCSPaia are enabled and a CAFile is provided from pkgs.cacert. + By default, verifyChain and OCSPaia are enabled and CAFile is set to `security.pki.caBundle`. See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`. ''; @@ -106,7 +106,7 @@ in apply = let applyDefaults = c: { - CAFile = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + CAFile = security.pki.caBundle; OCSPaia = true; verifyChain = true; } // c; diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 66451328ddddc4..c4ba27804cdd6b 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -193,7 +193,7 @@ in { interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); access-control = mkDefault ([ "127.0.0.0/8 allow" ] ++ (optional config.networking.enableIPv6 "::1/128 allow")); auto-trust-anchor-file = mkIf cfg.enableRootTrustAnchor rootTrustAnchorFile; - tls-cert-bundle = mkDefault "/etc/ssl/certs/ca-certificates.crt"; + tls-cert-bundle = mkDefault config.security.pki.caBundle; # prevent race conditions on system startup when interfaces are not yet # configured ip-freebind = mkDefault true; diff --git a/nixos/modules/services/search/hound.nix b/nixos/modules/services/search/hound.nix index 7aca1adc19b082..9961e7d3ec7c41 100644 --- a/nixos/modules/services/search/hound.nix +++ b/nixos/modules/services/search/hound.nix @@ -104,7 +104,7 @@ in { User = cfg.user; Group = cfg.group; WorkingDirectory = cfg.home; - ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo /etc/ssl/certs/ca-certificates.crt"; + ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo ${config.security.pki.caBundle}"; ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf /etc/hound/config.json"; }; }; diff --git a/nixos/modules/services/system/nix-daemon.nix b/nixos/modules/services/system/nix-daemon.nix index adadce4f88d6d5..f8cafb5734215f 100644 --- a/nixos/modules/services/system/nix-daemon.nix +++ b/nixos/modules/services/system/nix-daemon.nix @@ -187,7 +187,7 @@ in ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; environment = cfg.envVars - // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; } + // { CURL_CA_BUNDLE = config.security.pki.caBundle; } // config.networking.proxy.envVars; unitConfig.RequiresMountsFor = "/nix/store"; diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index ceef0db78b0948..2b90cd8b54d04f 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -296,7 +296,7 @@ in after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service"; requires = optional apparmor.enable "apparmor.service"; wantedBy = [ "multi-user.target" ]; - environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; + environment.CURL_CA_BUNDLE = config.security.pki.caBundle; environment.TRANSMISSION_WEB_HOME = lib.mkIf (cfg.webHome != null) cfg.webHome; serviceConfig = { diff --git a/nixos/modules/services/web-apps/cryptpad.nix b/nixos/modules/services/web-apps/cryptpad.nix index 770eefc0073955..7dff3e0d69fb6c 100644 --- a/nixos/modules/services/web-apps/cryptpad.nix +++ b/nixos/modules/services/web-apps/cryptpad.nix @@ -239,7 +239,7 @@ in "-/etc/resolv.conf" "-/run/systemd" "/etc/hosts" - "/etc/ssl/certs/ca-certificates.crt" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" ]; }; }; diff --git a/nixos/modules/services/web-apps/dex.nix b/nixos/modules/services/web-apps/dex.nix index 7fbbd8a0c28491..85ad3ea853e994 100644 --- a/nixos/modules/services/web-apps/dex.nix +++ b/nixos/modules/services/web-apps/dex.nix @@ -88,7 +88,7 @@ in "-/etc/localtime" "-/etc/nsswitch.conf" "-/etc/resolv.conf" - "-/etc/ssl/certs/ca-certificates.crt" + "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" ]; BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 8cb4b4c439f9d1..2d0992fbb5fc3b 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -19,7 +19,7 @@ let "opcache.memory_consumption" = "128"; "opcache.revalidate_freq" = "1"; "opcache.fast_shutdown" = "1"; - "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + "openssl.cafile" = config.security.pki.caBundle; catch_workers_output = "yes"; }; diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index e3f15f4f438cc3..f2408e4e8a28fa 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -10,7 +10,7 @@ let env = { NODE_CONFIG_DIR = "/var/lib/peertube/config"; NODE_ENV = "production"; - NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt"; + NODE_EXTRA_CA_CERTS = config.security.pki.caBundle; NPM_CONFIG_CACHE = "/var/cache/peertube/.npm"; NPM_CONFIG_PREFIX = cfg.package; HOME = cfg.package; diff --git a/nixos/modules/services/web-apps/sogo.nix b/nixos/modules/services/web-apps/sogo.nix index 1102418077664a..81f3a5d2338eb4 100644 --- a/nixos/modules/services/web-apps/sogo.nix +++ b/nixos/modules/services/web-apps/sogo.nix @@ -88,7 +88,7 @@ in { wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."sogo/sogo.conf.raw".source ]; - environment.LDAPTLS_CACERT = "/etc/ssl/certs/ca-certificates.crt"; + environment.LDAPTLS_CACERT = config.security.pki.caBundle; serviceConfig = { Type = "forking";