nix-daemon: use system NIX_SSL_CERT_FILE

Otherwise the daemon wouldn't honor extra certificates from the security.pki options.
2024-09-11 12:49:18 +03:00 · 2019-01-16 22:47:19 +01:00 · 2019-01-16 22:47:19 +01:00 · 629fa53498
commit 629fa53498
parent 655b66975f
2 changed files with 8 additions and 1 deletions
--- a/modules/services/nix-daemon.nix
+++ b/modules/services/nix-daemon.nix
@ -60,7 +60,7 @@ in

      serviceConfig.EnvironmentVariables = mkMerge [
        config.nix.envVars
-        { NIX_SSL_CERT_FILE = mkDefault "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+        { NIX_SSL_CERT_FILE = mkDefault config.environment.variables.NIX_SSL_CERT_FILE;
          TMPDIR = mkIf (cfg.tempDir != null) cfg.tempDir;
        }
      ];
--- a/tests/services-nix-daemon.nix
+++ b/tests/services-nix-daemon.nix
@ -1,6 +1,7 @@
 { config, pkgs, ... }:

 let
+  cacert = pkgs.runCommand "cacert-0.0.0" {} "mkdir -p $out";
  nix = pkgs.runCommand "nix-0.0.0" { version = "1.11.6"; } "mkdir -p $out";
 in

@ -8,6 +9,8 @@ in
  services.nix-daemon.enable = true;
  nix.package = nix;

+  environment.variables.NIX_SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-certificates.crt";
+
  test = ''
    echo checking nix-daemon service in /Library/LaunchDaemons >&2
    grep "<string>org.nixos.nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
@ -15,6 +18,10 @@ in
    grep "<key>KeepAlive</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
    ! grep "<key>Sockets</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist

+    echo checking NIX_SSL_CERT_FILE in nix-daemon service >&2
+    grep "<key>NIX_SSL_CERT_FILE</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
+    grep "<string>${cacert}/etc/ssl/certs/ca-certificates.crt</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
+
    echo checking nix-daemon reload in /activate >&2
    grep "pkill -HUP nix-daemon" ${config.out}/activate