diff --git a/nixos/modules/services/misc/taskserver.nix b/nixos/modules/services/misc/taskserver.nix
index d3ab9c80e077..6d9cfdbfe4c3 100644
--- a/nixos/modules/services/misc/taskserver.nix
+++ b/nixos/modules/services/misc/taskserver.nix
@@ -47,6 +47,7 @@ let
     ${mkConfLine "server.crl" cfg.server.crl}
 
     # certificates
+    ${mkConfLine "trust" cfg.server.trust}
     ${if needToCreateCA then ''
       ca.cert = ${cfg.dataDir}/keys/ca.cert
       server.cert = ${cfg.dataDir}/keys/server.cert
@@ -233,6 +234,19 @@ in {
             a configuration file reload before the next request is handled.
           '';
         };
+
+        trust = mkOption {
+          type = types.enum [ "allow all" "strict" ];
+          default = "strict";
+          description = ''
+            Determines how client certificates are validated.
+
+            The value <literal>allow all</literal> performs no client
+            certificate validation. This is not recommended. The value
+            <literal>strict</literal> causes the client certificate to be
+            validated against a CA.
+          '';
+        };
       };
     };
   };