nss: add option to use p11-kit

This commit adds an option to replace libnssckbi with the
p11-kit-trust[1] module. It makes all NSS application (like Firefox,
Chromium, etc.) use the system trust store (/etc/ssl/certs/ in NixOS)
and other PKCS#11 modules without ad-hoc configuration.

This approach was first implemented in Fedora[2] and other distributions
like Arch Linux, later.
[1]: https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-nss.html

[2]: https://fedoraproject.org/wiki/Features/SharedSystemCertificates

pkgs/development/libraries/nss/default.nix

@@ -1,4 +1,7 @@
-{ lib, stdenv, fetchurl, nspr, perl, zlib, sqlite, darwin, fixDarwinDylibNames, buildPackages, ninja
+{ lib, stdenv, fetchurl, nspr, perl, zlib
+, sqlite, ninja
+, darwin, fixDarwinDylibNames, buildPackages
+, useP11kit ? true, p11-kit
 , # allow FIPS mode. Note that this makes the output non-reproducible.
   # https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6
   enableFIPS ? false
@@ -139,6 +142,11 @@ in stdenv.mkDerivation rec {
     chmod 0755 $out/bin/nss-config
   '';
 
+  postInstall = stdenv.lib.optionalString useP11kit ''
+    # Replace built-in trust with p11-kit connection
+    ln -sf ${p11-kit}/lib/pkcs11/p11-kit-trust.so $out/lib/libnssckbi.so
+  '';
+
   postFixup = let
     isCross = stdenv.hostPlatform != stdenv.buildPlatform;
     nss = if isCross then buildPackages.nss.tools else "$out";