treewide: support NIX_SSL_CERT_FILE as an impureEnvVar

This envvar is also added to lib.proxyImpureEnvVars since it's typically required for https proxies. This change also updates fetchgit and go module fetching to use this envvar. NIX_GIT_SSL_CAINFO is still supported for backwards compatibility in fetchgit.
2025-04-14 19:17:48 +00:00 · 2023-11-28 22:15:40 +11:00 · 2023-11-28 22:15:40 +11:00 · 911aa1440f
commit 911aa1440f
parent c455cc3170
5 changed files with 11 additions and 9 deletions
--- a/lib/fetchers.nix
+++ b/lib/fetchers.nix
@ -9,6 +9,9 @@
    # by definition pure.
    "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy"
    "HTTP_PROXY" "HTTPS_PROXY" "FTP_PROXY" "ALL_PROXY" "NO_PROXY"
+
+    # https proxies typically need to inject custom root CAs too
+    "NIX_SSL_CERT_FILE"
  ];

 }
--- a/pkgs/build-support/fetchgit/default.nix
+++ b/pkgs/build-support/fetchgit/default.nix
@ -67,7 +67,7 @@ stdenvNoCC.mkDerivation {
  builder = ./builder.sh;
  fetcher = ./nix-prefetch-git;

-  nativeBuildInputs = [ git ]
+  nativeBuildInputs = [ git cacert ]
    ++ lib.optionals fetchLFS [ git-lfs ];

  outputHashAlgo = if hash != "" then null else "sha256";
@ -94,8 +94,6 @@ stdenvNoCC.mkDerivation {
    export HOME=$PWD
  '';

-  GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
-
  impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ netrcImpureEnvVars ++ [
    "GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER"
  ];
--- a/pkgs/build-support/fetchgit/nix-prefetch-git
+++ b/pkgs/build-support/fetchgit/nix-prefetch-git
@ -17,9 +17,9 @@ branchName=$NIX_PREFETCH_GIT_BRANCH_NAME
 out=${out:-}
 http_proxy=${http_proxy:-}

-# allow overwriting cacert's ca-bundle.crt with a custom one
-# this can be done by setting NIX_GIT_SSL_CAINFO and NIX_SSL_CERT_FILE environment variables for the nix-daemon
-GIT_SSL_CAINFO=${NIX_GIT_SSL_CAINFO:-$GIT_SSL_CAINFO}
+# NOTE: use of NIX_GIT_SSL_CAINFO is for backwards compatibility; NIX_SSL_CERT_FILE is preferred
+# as of PR#303307
+GIT_SSL_CAINFO=${NIX_GIT_SSL_CAINFO:-$NIX_SSL_CERT_FILE}

 # populated by clone_user_rev()
 fullRev=
--- a/pkgs/build-support/go/module.nix
+++ b/pkgs/build-support/go/module.nix
@ -136,6 +136,7 @@ in
        exit 10
      fi

+      export GIT_SSL_CAINFO=$NIX_SSL_CERT_FILE
      ${if finalAttrs.proxyVendor then ''
        mkdir -p "''${GOPATH}/pkg/mod/cache/download"
        go mod download
--- a/pkgs/data/misc/cacert/setup-hook.sh
+++ b/pkgs/data/misc/cacert/setup-hook.sh
@ -1,7 +1,7 @@
-export NIX_SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt
+export NIX_SSL_CERT_FILE="${NIX_SSL_CERT_FILE:-@out@/etc/ssl/certs/ca-bundle.crt}"

 # compatibility
 #  - openssl
-export SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt
+export SSL_CERT_FILE=$NIX_SSL_CERT_FILE
 #  - Haskell x509-system
-export SYSTEM_CERTIFICATE_PATH=@out@/etc/ssl/certs/ca-bundle.crt
+export SYSTEM_CERTIFICATE_PATH=$NIX_SSL_CERT_FILE