cacert: extract certdata.txt from main package

This allows users to specify custom CAs without needing to download the
entirety of the NSS source code - just certdata.txt, which should end up
in cache.nixos.org.

2 files changed, 40 insertions, 19 deletions

diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix
index da781f310f4c1..49645ee800838 100644
--- a/pkgs/data/misc/cacert/default.nix
+++ b/pkgs/data/misc/cacert/default.nix
@@ -2,12 +2,14 @@
 , stdenv
 , writeText
 , fetchurl
-, nss
 , buildcatrust
 , blacklist ? []
 , extraCertificateFiles ? []
 , extraCertificateStrings ? []
 
+# Used by update.sh
+, nssOverride ? null
+
 # Used for tests only
 , runCommand
 , cacert
@@ -17,24 +19,49 @@
 let
   blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist);
   extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings);
+
+  srcVersion = "3.71";
+  version = if nssOverride != null then nssOverride.version else srcVersion;
+  meta = with lib; {
+    homepage = "https://curl.haxx.se/docs/caextract.html";
+    description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
+    platforms = platforms.all;
+    maintainers = with maintainers; [ andir fpletz lukegb ];
+    license = licenses.mpl20;
+  };
+  certdata = stdenv.mkDerivation {
+    pname = "nss-cacert-certdata";
+    inherit version;
+
+    src = if nssOverride != null then nssOverride.src else fetchurl {
+      url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
+      sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r";
+    };
+
+    dontBuild = true;
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir $out
+      cp nss/lib/ckfw/builtins/certdata.txt $out
+
+      runHook postInstall
+    '';
+
+    inherit meta;
+  };
 in
 stdenv.mkDerivation rec {
   pname = "nss-cacert";
-  version = "3.71";
+  inherit version;
 
-  src = fetchurl {
-    url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
-    sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r";
-  };
+  src = certdata;
 
   outputs = [ "out" "unbundled" "p11kit" ];
 
   nativeBuildInputs = [ buildcatrust ];
 
-  configurePhase = ''
-    ln -s nss/lib/ckfw/builtins/certdata.txt
-  '';
-
   buildPhase = ''
     mkdir unbundled
     buildcatrust \
@@ -176,11 +203,5 @@ stdenv.mkDerivation rec {
     };
   };
 
-  meta = with lib; {
-    homepage = "https://curl.haxx.se/docs/caextract.html";
-    description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
-    platforms = platforms.all;
-    maintainers = with maintainers; [ andir fpletz lukegb ];
-    license = licenses.mpl20;
-  };
+  inherit meta;
 }
diff --git a/pkgs/data/misc/cacert/update.sh b/pkgs/data/misc/cacert/update.sh
index 1c286dc6206f7..72d581b9650fa 100755
--- a/pkgs/data/misc/cacert/update.sh
+++ b/pkgs/data/misc/cacert/update.sh
@@ -28,7 +28,7 @@ BASEDIR="$(dirname "$0")/../../../.."
 
 
 CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
-PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.overrideAttrs (_: { inherit (nss_pkg) src version; })).out")
+PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.override { nssOverride = nss_pkg; }).out")
 
 # Check the hash of the etc subfolder
 # We can't check the entire output as that contains the nix-support folder
@@ -38,5 +38,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")
 
 if [[ "$CURRENT_HASH" !=  "$PATCHED_HASH" ]]; then
     NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .)
-    update-source-version cacert "$NSS_VERSION"
+    update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION"
 fi