security.pki: add test for ca-certificates.crt

release.nix

@@ -98,6 +98,7 @@ let
     tests.nixpkgs-overlays = makeTest ./tests/nixpkgs-overlays.nix;
     tests.programs-ssh = makeTest ./tests/programs-ssh.nix;
     tests.programs-zsh = makeTest ./tests/programs-zsh.nix;
+    tests.security-pki = makeTest ./tests/security-pki.nix;
     tests.services-activate-system = makeTest ./tests/services-activate-system.nix;
     tests.services-buildkite-agent = makeTest ./tests/services-buildkite-agent.nix;
     tests.services-nix-daemon = makeTest ./tests/services-nix-daemon.nix;

tests/security-pki.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+{
+  security.pki.certificates = [
+    ''
+      Fake Root CA
+      ------------
+    ''
+  ];
+
+  test = ''
+    echo "checking for ca-certificates.crt in /etc" >&2
+    test -e ${config.out}/etc/ssl/certs/ca-certificates.crt
+
+    echo "checking NIX_SSL_CERT_FILE in set-environment" >&2
+    grep 'NIX_SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"' ${config.system.build.setEnvironment}
+
+    echo "checking for certificates in ca-certificates.crt" >&2
+    grep -q 'BEGIN CERTIFICATE' ${config.out}/etc/ssl/certs/ca-certificates.crt
+
+    echo "checking for extra certificate in ca-certificates.crt" >&2
+    grep 'Fake Root CA' ${config.out}/etc/ssl/certs/ca-certificates.crt
+  '';
+}