From 5773481ce03499e9c6beecd0c7ea12cc00a10b70 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Tue, 6 Aug 2024 11:00:00 +0800
Subject: [PATCH] wrapper-manager/sandboxing/bubblewrap: add option to bundle
 certificates from nixpkgs

---
 modules/wrapper-manager/sandboxing/bubblewrap/default.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
index ae36b319..cad6f3ce 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
@@ -44,6 +44,10 @@ let
       default = if isGlobal then true else cfg.enableNetwork;
     };
 
+    enableBundledCertificates = lib.mkEnableOption "bundling additional certificates from nixpkgs" // {
+      default = if isGlobal then true else cfg.enableBundledCertificates;
+    };
+
     enableIsolation = lib.mkEnableOption "unsharing most of the system" // {
       default = if isGlobal then true else cfg.enableIsolation;
     };
@@ -106,6 +110,10 @@ in
               ];
             })
 
+            (lib.mkIf submoduleCfg.enableBundledCertificates {
+              sandboxing.bubblewrap.sharedNixPaths = [ pkgs.cacert ];
+            })
+
             (lib.mkIf submoduleCfg.enableIsolation {
               sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
             })