/etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt

Even though there is no "official" standard location, it's better to
stick to what most distros are using.

1 files changed, 7 insertions, 6 deletions

diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix
index 2eaee815c7d..e60cb5cdb67 100644
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@@ -55,20 +55,21 @@ in
 
     security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ca-bundle.crt" ];
 
+    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
+    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
+
+    # Old NixOS compatibility.
     environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
 
     # CentOS/Fedora compatibility.
     environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
 
-    # Debian/Ubuntu/Arch/Gentoo compatibility.
-    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
-
     environment.sessionVariables =
-      { SSL_CERT_FILE          = "/etc/ssl/certs/ca-bundle.crt";
+      { SSL_CERT_FILE          = "/etc/ssl/certs/ca-certificates.crt";
         # FIXME: unneeded - remove eventually.
-        OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
+        OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
         # FIXME: unneeded - remove eventually.
-        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-bundle.crt";
+        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-certificates.crt";
       };
 
   };