From 87be4e34d3a1a314addae1921ceaf1e226ed0319 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Wed, 25 Mar 2026 19:30:24 -0700 Subject: [PATCH] Add WNTRMUTE issuing CA to system trust store All NixOS machines now trust the Metacircular platform CA. This allows curl, browsers, and Go services to verify TLS certificates issued by Metacrypt without --insecure or custom CA flags. Co-Authored-By: Claude Opus 4.6 (1M context) --- certs/wntrmute-ca.pem | 18 ++++++++++++++++++ configuration.nix | 3 +++ 2 files changed, 21 insertions(+) create mode 100644 certs/wntrmute-ca.pem diff --git a/certs/wntrmute-ca.pem b/certs/wntrmute-ca.pem new file mode 100644 index 0000000..a9e82ce --- /dev/null +++ b/certs/wntrmute-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6zCCAkygAwIBAgIUTh42D9w7YT5e/Nz+42m32ZyHNvEwCgYIKoZIzj0EAwQw +gY0xCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEiMCAGA1UEChMZ +V05UUk1VVEUgSGVhdnkgSW5kdXN0cmllczEfMB0GA1UECxMWQ3J5cHRvZ3JhcGhp +YyBTZXJ2aWNlczEjMCEGA1UEAxMaV05UUk1VVEUgSXNzdWluZyBBdXRob3JpdHkw +HhcNMjYwMzExMjMxOTE0WhcNNDYwMzA3MDAxOTE0WjCBjTELMAkGA1UEBhMCVVMx +CTAHBgNVBAgTADEJMAcGA1UEBxMAMSIwIAYDVQQKExlXTlRSTVVURSBIZWF2eSBJ +bmR1c3RyaWVzMR8wHQYDVQQLExZDcnlwdG9ncmFwaGljIFNlcnZpY2VzMSMwIQYD +VQQDExpXTlRSTVVURSBJc3N1aW5nIEF1dGhvcml0eTCBmzAQBgcqhkjOPQIBBgUr +gQQAIwOBhgAEAewp0TVimwwnBnXWWYBoBNCmP73xPii58M/wWdwxY0myv2IHXiXB +/ip4Q25dMYhFyoCMq0g5VkRl5Y18OHfxLxrdARHE/tVlvnqzNH+sG0sm53NPRIeY +Eo0xbF546rv+/huC39SMrkZsrGmW3qiXOScX8LIQucvyJYcn2smqL2Gv8LzPo0Uw +QzAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQU +RVqxahQ8/leaLJjewC/xcoLJbTwwCgYIKoZIzj0EAwQDgYwAMIGIAkIA/6VhQ1/o +yZ+JNLxXHhhvUMiv/05Man3wM9Bn/dTUC0KamJo0K1AwtWQoYU69vxs8nj4xH4+A +oyATEqNB97byr74CQgC9sZfPWqDlFLqGO6dNEQqOF/54ya64fKQdSwNL4UzZTW8U +215hy6CercFpR9AzFBcCAonBY5fIJvlu64SUWXlStg== +-----END CERTIFICATE----- diff --git a/configuration.nix b/configuration.nix index f919b7d..58820cc 100644 --- a/configuration.nix +++ b/configuration.nix @@ -136,6 +136,9 @@ }; programs.ssh.askPassword = "ksshaskpass"; + # Trust the WNTRMUTE issuing CA for all Metacircular services. + security.pki.certificateFiles = [ ./certs/wntrmute-ca.pem ]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.trusted-users = ["kyle"];