kyle/imladris
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Trust WNTRMUTE CA for podman registry connections

Browse Source 
Podman/skopeo don't use the system CA bundle for registry TLS — they
use /etc/containers/certs.d/<host:port>/ca.crt. Add the WNTRMUTE CA
there so podman push/pull to MCR works without --tls-verify=false.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-28 15:59:59 -07:00
parent 2b8d2b980c
commit 59ac363c45
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
configuration.nix
View File

@@ -141,6 +141,11 @@
# Trust the WNTRMUTE issuing CA for all Metacircular services. # Trust the WNTRMUTE issuing CA for all Metacircular services.
security.pki.certificateFiles = [ ./certs/wntrmute-ca.pem ]; security.pki.certificateFiles = [ ./certs/wntrmute-ca.pem ];
# Trust the WNTRMUTE CA for podman/skopeo registry connections (MCR).
# Podman uses /etc/containers/certs.d/<registry:port>/ca.crt, not the
# system CA bundle.
environment.etc."containers/certs.d/mcr.svc.mcp.metacircular.net:8443/ca.crt".source = ./certs/wntrmute-ca.pem;
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.trusted-users = ["kyle"]; nix.settings.trusted-users = ["kyle"];