Provide symlinks to ca-bundle.crt for compat with other distros

There is no "standard" location for the certificate bundle, so many
programs/libraries have various hard-coded default locations that
don't exist on NixOS. To make these more likely to work, provide
some symlinks.

1 files changed, 20 insertions, 12 deletions

diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix
index e070ffc95e4..2eaee815c7d 100644
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@@ -2,6 +2,19 @@
 
 with lib;
 
+let
+
+  caBundle = pkgs.runCommand "ca-bundle.crt"
+    { files =
+        config.security.pki.certificateFiles ++
+        [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ];
+     }
+    ''
+      cat $files > $out
+    '';
+
+in
+
 {
 
   options = {
@@ -42,18 +55,13 @@ with lib;
 
     security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ca-bundle.crt" ];
 
-    environment.etc =
-      [ { source = pkgs.runCommand "ca-bundle.crt"
-          { files =
-              config.security.pki.certificateFiles ++
-              [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ];
-           }
-          ''
-            cat $files > $out
-          '';
-          target = "ssl/certs/ca-bundle.crt";
-        }
-      ];
+    environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
+
+    # CentOS/Fedora compatibility.
+    environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
+
+    # Debian/Ubuntu/Arch/Gentoo compatibility.
+    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
 
     environment.sessionVariables =
       { SSL_CERT_FILE          = "/etc/ssl/certs/ca-bundle.crt";