How to add a cert to CA bundle?

dinth · February 3, 2026, 6:57am

Hiya. security.pki.certificateFiles is an obvious answer for this question, except it doesnt work when the certificate is stored by agenix.
Is there a way to overcome this?

This is my current code, but it doesnt work either:

    services.cloudflare-warp.enable = true;
    systemd.tmpfiles.rules = [
      "d /var/lib/cloudflare-warp 0755 root root -"
      "L /var/lib/cloudflare-warp/mdm.xml - - - - ${config.age.secrets.cloudflare-mdm.path}"
    ];
    systemd.services.cloudflare-warp.preStart = ''
      ${pkgs.coreutils}/bin/install -Dm644 ${config.age.secrets.cloudflare-cert.path} /etc/ssl/certs/cloudflare-warp.pem
      ${pkgs.coreutils}/bin/ln -sf /etc/ssl/certs/cloudflare-warp.pem \
        /etc/ssl/certs/$(${pkgs.openssl}/bin/openssl x509 -hash -noout -in ${config.age.secrets.cloudflare-cert.path}).0
    '';
  };
}

TLATER · February 3, 2026, 8:41am

Why use agenix? The point of certificates is that they are public, you should just put it in a plaintext file in your repo and use security.pki.certificateFiles as intended.

dinth · February 3, 2026, 10:29am

True its a public cert, but also client-specific so it may have metadata which can be used for hostile reconnaissance then

TLATER · February 3, 2026, 11:38am

Then simply don’t publish the git repository containing this cert on a public forge.

Exfiltrating a public cert from the nix store of machines will almost certainly not give you any more metadata than you already have simply by gaining access to the machines in question. Especially since this gives you a company name at best; you can check what metadata your cert contains, you know. agenix is for secrets, public certificates are sensitive data at best.

If you still want to use a public forge, you can just place the cert in a private repo which you either depend on via flake inputs or a fetch* derivation. Hell, you could use a fetch* derivation to grab the cert from wherever you’re downloading it in the first place, or use requireFile if that’s nontrivial.

kiaradd · February 9, 2026, 3:21pm

Instead of manual symlinking, point security.pki.certificateFiles directly to the config.age.secrets.cloudflare-cert.path. Ensure your service waits for the secret decryption before execution.

TLATER · February 9, 2026, 4:57pm

Are you sure that works? The security.pki.certificateFiles option doesn’t have an associated service, the bundle is created at build time.

Maybe it works in impure mode if you’ve already booted into the system?