cacert: Build directly from nss instead of our own tarball

nixos/modules/security/ca.nix

@@ -22,7 +22,7 @@ in
     security.pki.certificateFiles = mkOption {
       type = types.listOf types.path;
       default = [];
-      example = literalExample "[ \"\${pkgs.cacert}/etc/ca-bundle.crt\" ]";
+      example = literalExample "[ \"\${pkgs.cacert}/ca-bundle.crt\" ]";
       description = ''
         A list of files containing trusted root certificates in PEM
         format. These are concatenated to form
@@ -53,7 +53,7 @@ in
 
   config = {
 
-    security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ca-bundle.crt" ];
+    security.pki.certificateFiles = [ "${pkgs.cacert}/ca-bundle.crt" ];
 
     # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
     environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;

pkgs/data/misc/cacert/default.nix

@@ -1,23 +1,29 @@
-{ stdenv, fetchurl }:
+{ stdenv, nss, curl-full, perl, perlPackages }:
 
 stdenv.mkDerivation rec {
-  name = "cacert-20140715";
+  name = "nss-cacert-${nss.version}";
 
-  src = fetchurl {
+  src = nss.src;
-    url = "http://tarballs.nixos.org/${name}.pem.bz2";
-    sha256 = "1l4j7z6ysnllx99isjzlc8zc34rbbgj4kzlg1y5sy9bgphc8cssl";
-  };
 
-  unpackPhase = "true";
+  postPatch = ''
-
+    unpackFile ${curl-full.src};
-  installPhase =
-    ''
-      mkdir -p $out/etc
-      bunzip2 < $src > $out/etc/ca-bundle.crt
   '';
 
-  meta = {
+  nativeBuildInputs = [ perl ] ++ (with perlPackages; [ LWP ]);
+
+  buildPhase = ''
+    perl curl-*/lib/mk-ca-bundle.pl -d "file://$(pwd)/nss/lib/ckfw/builtins/certdata.txt" ca-bundle.crt
+  '';
+
+  installPhase = ''
+    mkdir -pv $out
+    cp -v ca-bundle.crt $out
+  '';
+
+  meta = with stdenv.lib; {
     homepage = http://curl.haxx.se/docs/caextract.html;
     description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
+    platforms = platforms.all;
+    maintainers = with maintainers; [ wkennington ];
   };
 }