nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -742,6 +742,8 @@
 
 - `xxd` is now provided by the `tinyxxd` package, rather than `vim.xxd`, to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim's `xxd` utility, there is no user impact. Vim's `xxd` remains available as the `vim.xxd` package.
 
+- All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`.
+
 - `prometheus-openldap-exporter` was removed since it was unmaintained upstream and had no nixpkgs maintainers.
 
 - `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).

nixos/modules/security/ca.nix

@@ -3,7 +3,6 @@
 with lib;
 
 let
-
   cfg = config.security.pki;
 
   cacertPackage = pkgs.cacert.override {
@@ -85,9 +84,16 @@ in
       '';
     };
 
+    security.pki.caBundle = mkOption {
+      type = types.path;
+      readOnly = true;
+      description = ''
+        (Read-only) the path to the final bundle of certificate authorities as a single file.
+      '';
+    };
   };
 
-  config = mkIf cfg.installCACerts {
+  config = (mkIf cfg.installCACerts {
 
     # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
     environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
@@ -100,7 +106,6 @@ in
 
     # P11-Kit trust source.
     environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source";
-
-  };
+  }) // { security.pki.caBundle = caBundle; };
 
 }

nixos/modules/services/audio/gonic.nix

@@ -61,7 +61,7 @@ in
         BindReadOnlyPaths = [
           # gonic can access scrobbling services
           "-/etc/resolv.conf"
-          "-/etc/ssl/certs/ca-certificates.crt"
+          "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
           builtins.storeDir
           cfg.settings.podcast-path
         ] ++ cfg.settings.music-path

nixos/modules/services/audio/navidrome.nix

@@ -111,9 +111,7 @@ in
               ++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder;
             BindReadOnlyPaths = [
               # navidrome uses online services to download additional album metadata / covers
-              "${
-                config.environment.etc."ssl/certs/ca-certificates.crt".source
-              }:/etc/ssl/certs/ca-certificates.crt"
+              "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
               builtins.storeDir
               "/etc"
             ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;

nixos/modules/services/continuous-integration/gocd-agent/default.nix

@@ -200,7 +200,7 @@ in {
         rm -f config/autoregister.properties
         ln -s "${pkgs.writeText "autoregister.properties" cfg.agentConfig}" config/autoregister.properties
 
-        ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
+        ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle}
         ${pkgs.jre}/bin/java ${concatStringsSep " " cfg.startupOptions} \
                         ${concatStringsSep " " cfg.extraOptions} \
                               -jar ${pkgs.gocd-agent}/go-agent/agent-bootstrapper.jar \

nixos/modules/services/continuous-integration/gocd-server/default.nix

@@ -200,7 +200,7 @@ in {
       path = cfg.packages;
 
       script = ''
-        ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
+        ${pkgs.git}/bin/git config --global --add http.sslCAinfo ${config.security.pki.caBundle}
         ${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.startupOptions} \
                                ${concatStringsSep " " cfg.extraOptions}  \
                               -jar ${pkgs.gocd-server}/go-server/lib/go.jar

nixos/modules/services/mail/postfix.nix

@@ -501,10 +501,11 @@ in
 
       tlsTrustedAuthorities = lib.mkOption {
         type = lib.types.str;
-        default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-        defaultText = lib.literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"'';
+        default = config.security.pki.caBundle;
+        defaultText = lib.literalExpression "config.security.pki.caBundle";
+        example = lib.literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"'';
         description = ''
-          File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities.
+          File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This sets [smtp_tls_CAfile](https://www.postfix.org/postconf.5.html#smtp_tls_CAfile). Defaults to system trusted certificates (see `security.pki.*` options).
         '';
       };
 

nixos/modules/services/misc/db-rest.nix

@@ -141,7 +141,7 @@ in
         };
         environment = {
           NODE_ENV = "production";
-          NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";
+          NODE_EXTRA_CA_CERTS = config.security.pki.caBundle;
           HOSTNAME = cfg.host;
           PORT = toString cfg.port;
         };

nixos/modules/services/misc/gitlab.nix

@@ -241,7 +241,7 @@ let
         ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"}
         enable_starttls_auto: ${boolToString cfg.smtp.enableStartTLSAuto},
         tls: ${boolToString cfg.smtp.tls},
-        ca_file: "/etc/ssl/certs/ca-certificates.crt",
+        ca_file: "${config.security.pki.caBundle}",
         openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}'
       }
     end

nixos/modules/services/misc/portunus.nix

@@ -266,7 +266,7 @@ in
           in
           {
             PORTUNUS_SERVER_HTTP_SECURE = "true";
-            PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = "/etc/ssl/certs/ca-certificates.crt";
+            PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = config.security.pki.caBundle;
             PORTUNUS_SLAPD_TLS_CERTIFICATE = "${acmeDirectory}/cert.pem";
             PORTUNUS_SLAPD_TLS_DOMAIN_NAME = cfg.domain;
             PORTUNUS_SLAPD_TLS_PRIVATE_KEY = "${acmeDirectory}/key.pem";

nixos/modules/services/misc/radicle.nix

@@ -45,6 +45,7 @@ let
         BindReadOnlyPaths = [
           "${cfg.configFile}:${env.RAD_HOME}/config.json"
           "${if lib.types.path.check cfg.publicKey then cfg.publicKey else pkgs.writeText "radicle.pub" cfg.publicKey}:${env.RAD_HOME}/keys/radicle.pub"
+          "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
         ];
         KillMode = "process";
         StateDirectory = [ "radicle" ];
@@ -57,7 +58,6 @@ let
       {
         BindReadOnlyPaths = [
           "-/etc/resolv.conf"
-          "/etc/ssl/certs/ca-certificates.crt"
           "/run/systemd"
         ];
         AmbientCapabilities = "";

nixos/modules/services/misc/tandoor-recipes.nix

@@ -92,7 +92,7 @@ in
         RuntimeDirectory = "tandoor-recipes";
 
         BindReadOnlyPaths = [
-          "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
+          "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
           builtins.storeDir
           "-/etc/resolv.conf"
           "-/etc/nsswitch.conf"

nixos/modules/services/monitoring/ocsinventory-agent.nix

@@ -48,7 +48,8 @@ in
 
             ca = lib.mkOption {
               type = lib.types.path;
-              default = "/etc/ssl/certs/ca-certificates.crt";
+              default = config.security.pki.caBundle;
+              defaultText = lib.literalExpression "config.security.pki.caBundle";
               description = ''
                 Path to CA certificates file in PEM format, for server
                 SSL certificate validation.
@@ -67,7 +68,6 @@ in
         };
         default = { };
         example = {
-          ca = "/etc/ssl/certs/ca-certificates.crt";
           debug = true;
           server = "https://ocsinventory.localhost:8080/ocsinventory";
           tag = "01234567890123";

nixos/modules/services/monitoring/parsedmarc.nix

@@ -350,7 +350,8 @@ in
 
             cert_path = lib.mkOption {
               type = lib.types.path;
-              default = "/etc/ssl/certs/ca-certificates.crt";
+              default = config.security.pki.caBundle;
+              defaultText = lib.literalExpression "config.security.pki.caBundle";
               description = ''
                 The path to a TLS certificate bundle used to verify
                 the server's certificate.

nixos/modules/services/monitoring/uptime-kuma.nix

@@ -22,7 +22,7 @@ in
         default = { };
         example = {
           PORT = "4000";
-          NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";
+          NODE_EXTRA_CA_CERTS = literalExpression "config.security.pki.caBundle";
         };
         description = ''
           Additional configuration for Uptime Kuma, see

nixos/modules/services/networking/biboumi.nix

@@ -40,7 +40,8 @@ in
           };
           options.ca_file = lib.mkOption {
             type = lib.types.path;
-            default = "/etc/ssl/certs/ca-certificates.crt";
+            default = config.security.pki.caBundle;
+            defaultText = lib.literalExpression "config.security.pki.caBundle";
             description = ''
               Specifies which file should be used as the list of trusted CA
               when negotiating a TLS session.

nixos/modules/services/networking/gateone.nix

@@ -19,19 +19,16 @@ options = {
     };
 };
 config = lib.mkIf cfg.enable {
-  environment.systemPackages = with pkgs.pythonPackages; [
-    gateone pkgs.openssh pkgs.procps pkgs.coreutils pkgs.cacert];
-
   users.users.gateone = {
     description = "GateOne privilege separation user";
     uid = config.ids.uids.gateone;
     home = cfg.settingsDir;
   };
   users.groups.gateone.gid = config.ids.gids.gateone;
 
-  systemd.services.gateone = with pkgs; {
+  systemd.services.gateone = {
     description = "GateOne web-based terminal";
-    path = [ pythonPackages.gateone nix openssh procps coreutils ];
+    path = with pkgs; [ pythonPackages.gateone nix openssh procps coreutils ];
     preStart = ''
       if [ ! -d ${cfg.settingsDir} ] ; then
         mkdir -m 0750 -p ${cfg.settingsDir}
@@ -44,7 +41,7 @@ config = lib.mkIf cfg.enable {
       '';
     #unitConfig.RequiresMountsFor = "${cfg.settingsDir}";
     serviceConfig = {
-      ExecStart = ''${pythonPackages.gateone}/bin/gateone --settings_dir=${cfg.settingsDir} --pid_file=${cfg.pidDir}/gateone.pid --gid=${toString config.ids.gids.gateone} --uid=${toString config.ids.uids.gateone}'';
+      ExecStart = ''${pkgs.pythonPackages.gateone}/bin/gateone --settings_dir=${cfg.settingsDir} --pid_file=${cfg.pidDir}/gateone.pid --gid=${toString config.ids.gids.gateone} --uid=${toString config.ids.uids.gateone}'';
       User = "gateone";
       Group = "gateone";
       WorkingDirectory = cfg.settingsDir;

nixos/modules/services/networking/privoxy.nix

@@ -253,7 +253,7 @@ in
       # This allows setting absolute key/crt paths
       ca-directory = "/var/empty";
       certificate-directory = "/run/privoxy/certs";
-      trusted-cas-file = "/etc/ssl/certs/ca-certificates.crt";
+      trusted-cas-file = config.security.pki.caBundle;
     });
 
   };

nixos/modules/services/networking/stunnel.nix

@@ -97,7 +97,7 @@ in
         description = ''
           Define the client configurations.
 
-          By default, verifyChain and OCSPaia are enabled and a CAFile is provided from pkgs.cacert.
+          By default, verifyChain and OCSPaia are enabled and CAFile is set to `security.pki.caBundle`.
 
           See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`.
         '';
@@ -106,7 +106,7 @@ in
         apply = let
           applyDefaults = c:
             {
-              CAFile = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+              CAFile = security.pki.caBundle;
               OCSPaia = true;
               verifyChain = true;
             } // c;

nixos/modules/services/networking/unbound.nix

@@ -193,7 +193,7 @@ in {
         interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1"));
         access-control = mkDefault ([ "127.0.0.0/8 allow" ] ++ (optional config.networking.enableIPv6 "::1/128 allow"));
         auto-trust-anchor-file = mkIf cfg.enableRootTrustAnchor rootTrustAnchorFile;
-        tls-cert-bundle = mkDefault "/etc/ssl/certs/ca-certificates.crt";
+        tls-cert-bundle = mkDefault config.security.pki.caBundle;
         # prevent race conditions on system startup when interfaces are not yet
         # configured
         ip-freebind = mkDefault true;

nixos/modules/services/search/hound.nix

@@ -104,7 +104,7 @@ in {
         User = cfg.user;
         Group = cfg.group;
         WorkingDirectory = cfg.home;
-        ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo /etc/ssl/certs/ca-certificates.crt";
+        ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo ${config.security.pki.caBundle}";
         ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf /etc/hound/config.json";
       };
     };

nixos/modules/services/system/nix-daemon.nix

@@ -187,7 +187,7 @@ in
           ++ optionals cfg.distributedBuilds [ pkgs.gzip ];
 
         environment = cfg.envVars
-          // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; }
+          // { CURL_CA_BUNDLE = config.security.pki.caBundle; }
           // config.networking.proxy.envVars;
 
         unitConfig.RequiresMountsFor = "/nix/store";

nixos/modules/services/torrent/transmission.nix

@@ -296,7 +296,7 @@ in
       after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service";
       requires = optional apparmor.enable "apparmor.service";
       wantedBy = [ "multi-user.target" ];
-      environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source;
+      environment.CURL_CA_BUNDLE = config.security.pki.caBundle;
       environment.TRANSMISSION_WEB_HOME = lib.mkIf (cfg.webHome != null) cfg.webHome;
 
       serviceConfig = {

nixos/modules/services/web-apps/cryptpad.nix

@@ -239,7 +239,7 @@ in
             "-/etc/resolv.conf"
             "-/run/systemd"
             "/etc/hosts"
-            "/etc/ssl/certs/ca-certificates.crt"
+            "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
           ];
         };
       };

nixos/modules/services/web-apps/dex.nix

@@ -88,7 +88,7 @@ in
           "-/etc/localtime"
           "-/etc/nsswitch.conf"
           "-/etc/resolv.conf"
-          "-/etc/ssl/certs/ca-certificates.crt"
+          "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
         ];
         BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql";
         CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";

nixos/modules/services/web-apps/nextcloud.nix

@@ -19,7 +19,7 @@ let
     "opcache.memory_consumption" = "128";
     "opcache.revalidate_freq" = "1";
     "opcache.fast_shutdown" = "1";
-    "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
+    "openssl.cafile" = config.security.pki.caBundle;
     catch_workers_output = "yes";
   };
 
@@ -341,7 +341,7 @@ in {
 
     phpOptions = mkOption {
       type = with types; attrsOf (oneOf [ str int ]);
-      defaultText = literalExpression (generators.toPretty { } defaultPHPSettings);
+      defaultText = literalExpression (generators.toPretty { } (defaultPHPSettings // { "openssl.cafile" = literalExpression "config.security.pki.caBundle"; }));
       description = ''
         Options for PHP's php.ini file for nextcloud.
 

nixos/modules/services/web-apps/peertube.nix

@@ -10,7 +10,7 @@ let
   env = {
     NODE_CONFIG_DIR = "/var/lib/peertube/config";
     NODE_ENV = "production";
-    NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";
+    NODE_EXTRA_CA_CERTS = config.security.pki.caBundle;
     NPM_CONFIG_CACHE = "/var/cache/peertube/.npm";
     NPM_CONFIG_PREFIX = cfg.package;
     HOME = cfg.package;

nixos/modules/services/web-apps/sogo.nix

@@ -88,7 +88,7 @@ in {
       wantedBy = [ "multi-user.target" ];
       restartTriggers = [ config.environment.etc."sogo/sogo.conf.raw".source ];
 
-      environment.LDAPTLS_CACERT = "/etc/ssl/certs/ca-certificates.crt";
+      environment.LDAPTLS_CACERT = config.security.pki.caBundle;
 
       serviceConfig = {
         Type = "forking";