From a73ba5c93a5acd8b4b8082ececffdcd99af72520 Mon Sep 17 00:00:00 2001
From: Bert Proesmans <bproesmans@hotmail.com>
Date: Tue, 20 May 2025 20:28:36 +0000
Subject: [PATCH] nixos/kanidm: bind ca-bundle to validate url on provisioning

The provisioning script can be configured to validate the server certificate,
but the unit lockdown prevents access to the trusted certificate authority
(ca) bundle.
The system trusted ca store path is added to the bind paths as solution.
---
 nixos/modules/services/security/kanidm.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
index 14927f439ca5..53b3bb1ced9e 100644
--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
@@ -887,7 +887,14 @@ in
         (
           defaultServiceConfig
           // {
-            BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ secretPaths);
+            BindReadOnlyPaths = mergePaths (
+              defaultServiceConfig.BindReadOnlyPaths
+              ++ secretPaths
+              ++ (lib.optionals (cfg.provision.enable && !cfg.provision.acceptInvalidCerts) [
+                "-/etc/ssl"
+                "-/etc/static/ssl"
+              ])
+            );
           }
         )
         {