Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Fix CA cert injection to be declarative (flakes-krtw)
StatusDone
TypeTask
Prioritynormal
ParentContainer-first infrastructure (flakes-qbvb)

Replace manual /etc/ssl/certs mutation with security.pki.certificateFiles. Seeder pushes CA to a known path, NixOS handles cert bundle integration.

Summary of Changes

  • packs/nixos/container/onecli-proxy.nix: added /var/lib/onecli/ tmpfiles dir, onecli-ca-bundle.service (oneshot, rebuilds bundle idempotently from system certs + CA), and onecli-ca-bundle.path (watches /var/lib/onecli/ca.crt, re-triggers on every push/rotation). Updated NODE_EXTRA_CA_CERTS to point to the new stable path.
  • mixins/nixos/services/onecli.nix: seeder now writes CA to /var/lib/onecli/ca.crt only — no more in-container symlink replacement or bundle appending.
  • packs/home/host/linux/scripts/incus/onecli-push-ca.bash: same simplification.