{ pkgs, ... }:
{
  security.pki = {
    certificateFiles = [
      "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      ./root-ca.crt
      ./root-ca-old.crt
    ];
  };
}