From 35319f58de888ede7cb7949e9caaee11879a58c8 Mon Sep 17 00:00:00 2001
From: aaron <aaron@0x29a.ch>
Date: Fri, 23 Jan 2026 20:20:12 +0100
Subject: [PATCH] feature(ssl/tls): add my homelab pki root ca to the trust
 store

---
 hosts/neon/configuration.nix   |  1 +
 modules/nixos/certificates.nix | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 modules/nixos/certificates.nix

diff --git a/hosts/neon/configuration.nix b/hosts/neon/configuration.nix
index 8a3a870..a647933 100644
--- a/hosts/neon/configuration.nix
+++ b/hosts/neon/configuration.nix
@@ -4,6 +4,7 @@
   imports = [
     ../../modules/nixos/audio.nix
     ../../modules/nixos/bootloader.nix
+    ../../modules/nixos/certificates.nix
     ../../modules/nixos/gnupg.nix
     ../../modules/nixos/locales.nix
     ../../modules/nixos/networking.nix
diff --git a/modules/nixos/certificates.nix b/modules/nixos/certificates.nix
new file mode 100644
index 0000000..b5d0615
--- /dev/null
+++ b/modules/nixos/certificates.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+let
+  caddyRootCA = ''
+    -----BEGIN CERTIFICATE-----
+    MIIBozCCAUmgAwIBAgIQf2N1DGp2HVOoPaGuGDEnwjAKBggqhkjOPQQDAjAwMS4w
+    LAYDVQQDEyVDYWRkeSBMb2NhbCBBdXRob3JpdHkgLSAyMDI1IEVDQyBSb290MB4X
+    DTI1MTEwNjE5NDA1OFoXDTM1MDkxNTE5NDA1OFowMDEuMCwGA1UEAxMlQ2FkZHkg
+    TG9jYWwgQXV0aG9yaXR5IC0gMjAyNSBFQ0MgUm9vdDBZMBMGByqGSM49AgEGCCqG
+    SM49AwEHA0IABGR9mSgKCSjvcv7LvvIcO84Wpf/KtC/aexT5shSKXd1R97kIyMI5
+    SUYz0MzbRZHJ4QMpIeALirOK9Eoy2zht0dKjRTBDMA4GA1UdDwEB/wQEAwIBBjAS
+    BgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRHKfIfJrrA2DACFrunVSmdnJHO
+    1zAKBggqhkjOPQQDAgNIADBFAiAoqc0+cHeq/8SQN16CKjVvXpZuMkg7NLDoWYMw
+    KgmzowIhAJlkxzBdVngwnJu8uPrVizTGF6XtmUHdJ0NDeccEqUCr
+    -----END CERTIFICATE-----
+  '';
+in
+{
+  security.pki.certificates = [
+    caddyRootCA # self-signed pki ca for my home-lab
+  ];
+}