Add WNTRMUTE issuing CA to system trust store

All NixOS machines now trust the Metacircular platform CA. This allows curl, browsers, and Go services to verify TLS certificates issued by Metacrypt without --insecure or custom CA flags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 19:30:24 -07:00
parent 73be02eaae
commit 87be4e34d3
2 changed files with 21 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -136,6 +136,9 @@
  };
  programs.ssh.askPassword =  "ksshaskpass";

+  # Trust the WNTRMUTE issuing CA for all Metacircular services.
+  security.pki.certificateFiles = [ ./certs/wntrmute-ca.pem ];
+
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nix.settings.trusted-users = ["kyle"];