nix-daemon: use system NIX_SSL_CERT_FILE

Otherwise the daemon wouldn't honor extra certificates from the
security.pki options.

modules/services/nix-daemon.nix

@@ -60,7 +60,7 @@ in
 
       serviceConfig.EnvironmentVariables = mkMerge [
         config.nix.envVars
-        { NIX_SSL_CERT_FILE = mkDefault "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+        { NIX_SSL_CERT_FILE = mkDefault config.environment.variables.NIX_SSL_CERT_FILE;
           TMPDIR = mkIf (cfg.tempDir != null) cfg.tempDir;
         }
       ];

tests/services-nix-daemon.nix

@@ -1,6 +1,7 @@
 { config, pkgs, ... }:
 
 let
+  cacert = pkgs.runCommand "cacert-0.0.0" {} "mkdir -p $out";
   nix = pkgs.runCommand "nix-0.0.0" { version = "1.11.6"; } "mkdir -p $out";
 in
 
@@ -8,6 +9,8 @@ in
   services.nix-daemon.enable = true;
   nix.package = nix;
 
+  environment.variables.NIX_SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-certificates.crt";
+
   test = ''
     echo checking nix-daemon service in /Library/LaunchDaemons >&2
     grep "<string>org.nixos.nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
@@ -15,6 +18,10 @@ in
     grep "<key>KeepAlive</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
     ! grep "<key>Sockets</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
 
+    echo checking NIX_SSL_CERT_FILE in nix-daemon service >&2
+    grep "<key>NIX_SSL_CERT_FILE</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
+    grep "<string>${cacert}/etc/ssl/certs/ca-certificates.crt</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
+
     echo checking nix-daemon reload in /activate >&2
     grep "pkill -HUP nix-daemon" ${config.out}/activate