fix(nix): pass NODE_EXTRA_CA_CERTS through to bun in node_modules build

[HacknBashe]

Issue for this PR

Closes #18407

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Adds NODE_EXTRA_CA_CERTS to impureEnvVars in the node_modules fixed-output derivation

Corporate environments with TLS inspection proxies inject their own CA certificates into the chain. This causes bun to fail with SELF_SIGNED_CERT_IN_CHAIN when fetching GitHub tarballs (e.g. ghostty-web) during the nix build.

lib.fetchers.proxyImpureEnvVars already includes NIX_SSL_CERT_FILE, but bun ignores that and only reads NODE_EXTRA_CA_CERTS. Without it in impureEnvVars, there's no way to pass a custom CA bundle through to bun in the sandboxed build.

How did you verify your code works?

No longer see self signed cert error when building my nix flake against my local opencode repo with this change.

    opencode = {
      url = "path:/Users/**/src/opencode";
      inputs.nixpkgs.follows = "nixpkgs";
    };

Screenshots / recordings

error: Cannot build '/nix/store/gkas8rz3acaf0ki1yxgh2p5g5vsn33yg-opencode-node_modules-1.2.27-dirty.drv'.
       Reason: builder failed with exit code 1.
       Output paths:
         /nix/store/p4f478rz4w49p6jlywsrkgw4kbmnz427-opencode-node_modules-1.2.27-dirty
       Last 11 log lines:
       > Running phase: unpackPhase
       > unpacking source archive /nix/store/n45409qd16qldkr02dn2f8rq4wj7bd73-source
       > source root is source
       > Running phase: patchPhase
       > Running phase: updateAutotoolsGnuConfigScriptsPhase
       > Running phase: buildPhase
       > bun install v1.3.10 (30e609e0)
       > Resolving dependencies
       > Resolved, downloaded and extracted [434]
       > error: SELF_SIGNED_CERT_IN_CHAIN downloading tarball ghostty-web@github:anomalyco/ghostty-web#main
       > error: ghostty-web@github:anomalyco/ghostty-web#main failed to resolve

old error that is gone

===

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

If you do not follow this template your PR will be automatically rejected.

[github-actions]

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

1. Open an issue describing the bug/feature (if one doesn't exist)
2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍

[HacknBashe]

I think my opencode agent requested this review? Not sure why you were pinged adam, sorry