nixos/security.pki: handle PEMs w/o a final newline

According to the ABNF grammar for PEM files described in [RFC
7468][1], an eol character (i.e. a newline) is not mandatory after the
posteb line (i.e. "-----END CERTIFICATE-----" in the case of
certificates).

This commit makes our CA certificate bundler expression account for
the possibility that files in config.security.pki.certificateFiles
might not have final newlines, by using `awk` instead of `cat` to
concatenate them. (`awk` prints a final newline from each input file
even if the file doesn't end with a newline.)

[1]: https://datatracker.ietf.org/doc/html/rfc7468#section-3

1 files changed, 4 insertions, 9 deletions

diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix
index 1c4ee421fc5..7df86e71423 100644
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@@ -10,15 +10,10 @@ let
     blacklist = cfg.caCertificateBlacklist;
   };
 
-  caCertificates = pkgs.runCommand "ca-certificates.crt"
-    { files =
-        cfg.certificateFiles ++
-        [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
-      preferLocalBuild = true;
-     }
-    ''
-      cat $files > $out
-    '';
+  caCertificates = pkgs.runCommand "ca-certificates.crt" {
+    files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
+    preferLocalBuild = true;
+  } "awk 1 $files > $out";  # awk ensures a newline between each pair of consecutive files
 
 in