nixos/kanidm: bind ca-bundle to validate url on provisioning

The provisioning script can be configured to validate the server certificate,
but the unit lockdown prevents access to the trusted certificate authority
(ca) bundle.
The system trusted ca store path is added to the bind paths as solution.

nixos/modules/services/security/kanidm.nix

@@ -887,7 +887,14 @@ in
         (
           defaultServiceConfig
           // {
-            BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ secretPaths);
+            BindReadOnlyPaths = mergePaths (
+              defaultServiceConfig.BindReadOnlyPaths
+              ++ secretPaths
+              ++ (lib.optionals (cfg.provision.enable && !cfg.provision.acceptInvalidCerts) [
+                "-/etc/ssl"
+                "-/etc/static/ssl"
+              ])
+            );
           }
         )
         {