gnutls: respect NIX_SSL_CERT_FILE, same as our openssl

The patch should work fine, regardless of the Darwin patch being applied.

pkgs/development/libraries/gnutls/default.nix

@@ -30,8 +30,9 @@ stdenv.mkDerivation {
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];
   outputInfo = "devdoc";
 
+  patches = [ ./nix-ssl-cert-file.patch ]
     # Disable native add_system_trust.
-  patches = lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch;
+    ++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch;
 
   # Skip some tests:
   #  - pkgconfig: building against the result won't work before installing (3.5.11)

pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch

@@ -0,0 +1,19 @@
+allow overriding system trust store location via $NIX_SSL_CERT_FILE
+
+diff --git a/lib/system/certs.c b/lib/system/certs.c
+index 611c645..6ef6edb 100644
+--- a/lib/system/certs.c
++++ b/lib/system/certs.c
+@@ -369,6 +369,11 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
+ 					unsigned int tl_flags,
+ 					unsigned int tl_vflags)
+ {
+-	return add_system_trust(list, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags);
++	tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES;
++	const char *file = secure_getenv("NIX_SSL_CERT_FILE");
++	return file
++		? gnutls_x509_trust_list_add_trust_file(
++			list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags)
++		: add_system_trust(list, tl_flags, tl_vflags);
+ }
+