From 970d249d39ccac356c705e6e4db6318ffe93dd42 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sun, 14 Nov 2021 10:07:09 +0100
Subject: [PATCH] invidious: unstable-2021-11-08 -> unstable-2021-11-13
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This update disables QUIC by default which fixes Invidious not loading
anything except for the home page due to YouTube no longer accepting
HTTP/3 (Upstream Issue:
https://github.com/iv-org/invidious/issues/2577).

It therefore uses Crystal’s internal HTTP client, which failed because
the statically linked boringssl (required by lsquic) overrides OpenSSL’s
CA certificate file location. This is fixed by applying the same patch
to boringssl that is applied to openssl for using the correct CA
certificate file.
---
 pkgs/servers/invidious/default.nix             |  6 +++---
 pkgs/servers/invidious/lsquic.nix              |  5 +++++
 pkgs/servers/invidious/use-etc-ssl-certs.patch | 13 +++++++++++++
 3 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 pkgs/servers/invidious/use-etc-ssl-certs.patch

diff --git a/pkgs/servers/invidious/default.nix b/pkgs/servers/invidious/default.nix
index 7e939f51bc952..a50c128b03f57 100644
--- a/pkgs/servers/invidious/default.nix
+++ b/pkgs/servers/invidious/default.nix
@@ -8,17 +8,17 @@ let
   #  * shards.nix (by running `crystal2nix` in invidious’ source tree)
   #  * If the lsquic.cr dependency changed: lsquic in lsquic.nix (version, sha256)
   #  * If the lsquic version changed: boringssl' in lsquic.nix (version, sha256)
-  rev = "21879da80d2dfa97e789a13b90e82e466c4854e3";
+  rev = "00904ae3f2ab6a3cf5f96012d36c5672c3aa17b4";
 in
 crystal.buildCrystalPackage rec {
   pname = "invidious";
-  version = "unstable-2021-11-08";
+  version = "unstable-2021-11-13";
 
   src = fetchFromGitHub {
     owner = "iv-org";
     repo = pname;
     inherit rev;
-    sha256 = "0jvnwjdh2l0hxfvzim00r3zbs528bb93y1nk0bjrbbrcfv5cn5ss";
+    sha256 = "sha256-DET4jvB5epkpl5/HTORNTWDL4Ck4IsqhdTApJE8t6Tg=";
   };
 
   postPatch =
diff --git a/pkgs/servers/invidious/lsquic.nix b/pkgs/servers/invidious/lsquic.nix
index 35b93e4249f26..fbef8805bb536 100644
--- a/pkgs/servers/invidious/lsquic.nix
+++ b/pkgs/servers/invidious/lsquic.nix
@@ -8,6 +8,11 @@ let
       rev = version;
       sha256 = "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A=";
     };
+
+    patches = [
+      # Use /etc/ssl/certs/ca-certificates.crt instead of /etc/ssl/cert.pem
+      ./use-etc-ssl-certs.patch
+    ];
   });
 in
 stdenv.mkDerivation rec {
diff --git a/pkgs/servers/invidious/use-etc-ssl-certs.patch b/pkgs/servers/invidious/use-etc-ssl-certs.patch
new file mode 100644
index 0000000000000..b60b0b1f1a122
--- /dev/null
+++ b/pkgs/servers/invidious/use-etc-ssl-certs.patch
@@ -0,0 +1,13 @@
+diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c
+index d2bc3e5c1..329580075 100644
+--- a/crypto/x509/x509_def.c
++++ b/crypto/x509/x509_def.c
+@@ -67,7 +67,7 @@
+ 
+ #define X509_CERT_AREA          OPENSSLDIR
+ #define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
++#define X509_CERT_FILE          "/etc/ssl/certs/ca-certificates.crt"
+ #define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
+ #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"