diff options
| author | shelvacu <1731537+shelvacu@users.noreply.github.com> | 2025-03-08 00:41:08 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-03-08 08:41:08 +0000 |
| commit | 1a4575f9dbe76482f2a85f496c2aa3a7cd50b759 (patch) | |
| tree | 7c965aa5ca2d282b99a9a48e1412c1a90c55a403 /pkgs/development/python-modules/rangehttpserver | |
| parent | f5dadc8f64f6a026ae6a8b0398fded52c8bba041 (diff) | |
nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244)
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
Diffstat (limited to 'pkgs/development/python-modules/rangehttpserver')
0 files changed, 0 insertions, 0 deletions