{ config, pkgs, ... }:
let
  # Define an awk script, that cuts one certificate out of the ca-bundle.crt file.
  # https://gist.github.com/erictapen/841190c8b7d63b775df21123d55eddcb
  cert = pkgs.stdenv.mkDerivation rec{
    name = "telesec-globalroot-class-2.pem";
    src = builtins.toFile "${name}-awk-helper" ''
      {
        if(a > 0) {
          print
        }
      }
      /-----END CERTIFICATE-----/ {
        a = 0
      }
      /T-TeleSec GlobalRoot Class 2/ {
        a = 1
      }
    '';
    nativeBuildInputs = with pkgs; [ cacert gawk ];
    phases = "installPhase";
    installPhase = "${pkgs.gawk}/bin/awk -f $src ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt > $out";
  };
in
{
  environment.etc."t-telesec.pem".source = cert;
}