From 59ac363c451312a7ff09ae1ba9be037b674d34f3 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Sat, 28 Mar 2026 15:59:59 -0700
Subject: [PATCH] Trust WNTRMUTE CA for podman registry connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Podman/skopeo don't use the system CA bundle for registry TLS — they
use /etc/containers/certs.d/<host:port>/ca.crt. Add the WNTRMUTE CA
there so podman push/pull to MCR works without --tls-verify=false.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 configuration.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/configuration.nix b/configuration.nix
index 0e645a2..77c128f 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -141,6 +141,11 @@
   # Trust the WNTRMUTE issuing CA for all Metacircular services.
   security.pki.certificateFiles = [ ./certs/wntrmute-ca.pem ];
 
+  # Trust the WNTRMUTE CA for podman/skopeo registry connections (MCR).
+  # Podman uses /etc/containers/certs.d/<registry:port>/ca.crt, not the
+  # system CA bundle.
+  environment.etc."containers/certs.d/mcr.svc.mcp.metacircular.net:8443/ca.crt".source = ./certs/wntrmute-ca.pem;
+
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   nix.settings.trusted-users = ["kyle"];