As mentioned on Mastodon (https://mastodon.social/@dpom@fosstodon.org/113460954769241417) there seems to be no way to do it at the moment :(

Thanks, I’ll try that!

Sure. I import the certificates like this:

{ config, pkgs, inputs, ... }:
{
  security.pki.certificateFiles = [
    ./certificates/home.pem
  ];
}

where home.pem is a default PEM formatted certificate. It works fine to import the cert system wide this way.

If I enter the flake.nix and run a simple curl against the remote server I get the following, which is typical for a TLS certificate error.

curl https://webpage.home
curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme

So it seems to me that the development shell does not pick up the certificates installed on the system. I can work around that by using an impure shell, but I think that this is not how nix should be used.

Thanks for the response. You are right, the config was at the wrong path. Unfortunately, the config itself does not work, too. After a bit of testing around this worked for me:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: nix-cache-volume
spec:
  capacity:
    storage: 500Gi
  storageClassName: manual
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/mnt/k8s/nix-cache" # Needs exists before PV is created!
  persistentVolumeReclaimPolicy: Retain
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nix-cache-pvc
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: manual
  resources:
    requests:
      storage: 500Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nix-cache
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nix-cache
  template:
    metadata:
      labels:
        app: nix-cache
        name: nix-cache
    spec:
      volumes:
        - name: nix-cache-storage
          persistentVolumeClaim:
            claimName: nix-cache-pvc
        - name: nix-cache-config
          configMap:
            name: nix-cache-config
      containers:
        - name: nix-cache
          image: nginx:1.27.0 
          ports:
            - containerPort: 80
          volumeMounts:
            - name: nix-cache-storage
              mountPath: /data
            - name: nix-cache-config
              mountPath: /etc/nginx/nginx.conf
              subPath: nginx.conf
              readOnly: true
          resources:
            limits:
              memory: "512Mi"
              cpu: "300m"
            requests:
              memory: "256Mi"
              cpu: "200m"
---
apiVersion: v1
kind: Service
metadata:
  name: nix-cache
spec:
  selector:
    app: nix-cache
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nix-cache-ingress
  annotations:
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  rules:
    - host: "nix-cache.raspi.home"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: nix-cache
                port:
                  number: 80
  tls:
    - secretName: nix-cache-raspi-home-tls
      hosts:
        - "nix-cache.raspi.home"
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: nix-cache.raspi.home
spec:
  commonName: nix-cache.raspi.home
  dnsNames:
    - "nix-cache.raspi.home"
  secretName: nix-cache-raspi-home-tls
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nix-cache-config
data:
  # See: https://www.channable.com/tech/setting-up-a-private-nix-cache-for-fun-and-profit
  nginx.conf: |
    events {
        worker_connections 1024;
    }
    http {
      proxy_cache_path /data/nginx/cache max_size=500G keys_zone=cache_zone:50m inactive=365d;
      proxy_cache cache_zone;
      proxy_cache_valid 200 365d;
      proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_504 http_403 http_404 http_429;
      proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
      proxy_cache_lock on;

      server {
          listen 80;

          server_name nix-cache.raspi.home;

          location /nix-cache-info {
              return 200 "StoreDir: /nix/store\nWantMassQuery: 1\nPriority: 41\n";
          }

          location / {
              proxy_set_header Host $proxy_host;
              proxy_pass https://cache.nixos.org;
          }
      }
    }

The config is an adaption from this blog post: https://www.channable.com/tech/setting-up-a-private-nix-cache-for-fun-and-profit

That worked! Thank you! The trick is really to embed the bookmarks into each other :)

Thanks for the reply. When I disable the toolbar, the bookmarks are correctly placed in a folder but the folder is not visible in the toolbar anymore. So I can either have the bookmarks separately in the toolbar, or in a folder but not in the toolbar. The combination of both seems to be only possible if I move the bookmarks by hand in the UI :/

Thanks for the response. I’ll have a look at it. It still astonishes me that there is no off-the-shelf solution to such a trivial and common use case.

https://tauri.app/ is very popular and does not need electron. It uses the OS native we view.

I advocate for that since years. We need to normalize to pay for OSS. The biggest issue I see is not that people are unwilling to pay (donate) for the software they use daily, but the the payment itself is to complicated. There is not “the one” app store for OSS that every OS uses that makes donations easy. Additionally taking care of taxes for donations is too much of a burden, so the app store needs to handle that as well. And voila: You have the Apple App store or Android Play store.

Any advantages over distrobox? Sounds very similar.