Add security.pki.installCACerts config

Made is possible to disable the management of /etc/ssl/certs/ca-certificates.crt by Nix darwin.
2025-03-16 21:38:21 +00:00 · 2023-11-10 11:21:18 +01:00 · 2023-11-10 11:21:18 +01:00 · 4fa7b5cdd1
commit 4fa7b5cdd1
parent c8f385766b
2 changed files with 13 additions and 2 deletions
--- a/modules/security/pki/default.nix
+++ b/modules/security/pki/default.nix
@ -21,6 +21,14 @@ in
 {
  options = {
    security.pki.installCACerts = mkOption {
      type = types.bool;
      default = true;
      description = lib.mdDoc ''
        Whether to enable certificate management with nix-darwin.
      '';
    };
    security.pki.certificateFiles = mkOption {
      type = types.listOf types.path;
      default = [];
@ -71,7 +79,7 @@ in
    };
  };
-  config = {
+  config = mkIf cfg.installCACerts {
    security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
--- a/modules/services/nix-daemon.nix
+++ b/modules/services/nix-daemon.nix
@ -63,7 +63,10 @@ in
      serviceConfig.EnvironmentVariables = mkMerge [
        config.nix.envVars
-        { NIX_SSL_CERT_FILE = mkDefault config.environment.variables.NIX_SSL_CERT_FILE;
+        {
          NIX_SSL_CERT_FILE = mkIf
            (config.environment.variables ? NIX_SSL_CERT_FILE)
            (mkDefault config.environment.variables.NIX_SSL_CERT_FILE);
          TMPDIR = mkIf (cfg.tempDir != null) cfg.tempDir;
          # FIXME: workaround for https://github.com/NixOS/nix/issues/2523
          OBJC_DISABLE_INITIALIZE_FORK_SAFETY = mkDefault "YES";