diff --git a/pkgs/build-support/mitm-cache/default.nix b/pkgs/build-support/mitm-cache/default.nix
new file mode 100644
index 000000000000..dd44a7ddca9a
--- /dev/null
+++ b/pkgs/build-support/mitm-cache/default.nix
@@ -0,0 +1,44 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, callPackage
+, rustPlatform
+, substituteAll
+, openssl
+, Security
+, python3Packages
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "mitm-cache";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "chayleaf";
+    repo = "mitm-cache";
+    rev = "v${version}";
+    hash = "sha256-l9dnyA4Zo4jlbiCMRzUqW3NkiploVpmvxz9i896JkXU=";
+  };
+
+  buildInputs = lib.optionals stdenv.isDarwin [
+    Security
+  ];
+
+  cargoHash = "sha256-6eYOSSlswJGR2IrFo17qVnwI+h2FkyTjLFvwf62nG2c=";
+
+  setupHook = substituteAll {
+    src = ./setup-hook.sh;
+    inherit openssl;
+    ephemeral_port_reserve = python3Packages.ephemeral-port-reserve;
+  };
+
+  passthru.fetch = callPackage ./fetch.nix { };
+
+  meta = with lib; {
+    description = "A MITM caching proxy for use in nixpkgs";
+    homepage = "https://github.com/chayleaf/mitm-cache#readme";
+    license = licenses.mit;
+    maintainers = with maintainers; [ chayleaf ];
+    mainProgram = "mitm-cache";
+  };
+}
diff --git a/pkgs/build-support/mitm-cache/fetch.nix b/pkgs/build-support/mitm-cache/fetch.nix
new file mode 100644
index 000000000000..4e1f24ae7d7b
--- /dev/null
+++ b/pkgs/build-support/mitm-cache/fetch.nix
@@ -0,0 +1,49 @@
+{ lib
+, fetchurl
+, runCommand
+, writeText
+}:
+
+{ name ? "deps"
+, data
+, dontFixup ? true
+, ...
+}
+@ attrs:
+
+let
+  data' = builtins.removeAttrs
+    (if builtins.isPath data then lib.importJSON data else data)
+    [ "!version" ];
+
+  urlToPath = url:
+    if lib.hasPrefix "https://" url then (
+      let
+        url' = lib.drop 2 (lib.splitString "/" url);
+      in "https/${builtins.concatStringsSep "/" url'}"
+    )
+    else builtins.replaceStrings ["://"] ["/"] url;
+  code = ''
+    mkdir -p "$out"
+    cd "$out"
+  '' + builtins.concatStringsSep "" (lib.mapAttrsToList (url: info:
+  let
+    key = builtins.head (builtins.attrNames info);
+    val = info.${key};
+    path = urlToPath url;
+    name = baseNameOf path;
+    source = {
+      redirect = "$out/${urlToPath val}";
+      hash = fetchurl { inherit url; hash = val; };
+      text = writeText name val;
+    }.${key} or (throw "Unknown key: ${url}");
+  in ''
+    mkdir -p "${dirOf path}"
+    ln -s "${source}" "${path}"
+  '') data');
+in
+  runCommand name (builtins.removeAttrs attrs [ "name" "data" ] // {
+    passthru = (attrs.passthru or {}) // {
+      data = writeText "deps.json" (builtins.toJSON data);
+    };
+  }) code
diff --git a/pkgs/build-support/mitm-cache/setup-hook.sh b/pkgs/build-support/mitm-cache/setup-hook.sh
new file mode 100644
index 000000000000..219674eb9ea4
--- /dev/null
+++ b/pkgs/build-support/mitm-cache/setup-hook.sh
@@ -0,0 +1,21 @@
+mitmCacheConfigureHook() {
+    if [ -d "$mitmCache" ] && [ -z "$MITM_CACHE_CERT_DIR" ]; then
+        MITM_CACHE_CERT_DIR="$(mktemp -d)"
+        pushd "$MITM_CACHE_CERT_DIR"
+        MITM_CACHE_CA="$MITM_CACHE_CERT_DIR/ca.cer"
+        @openssl@/bin/openssl genrsa -out ca.key 2048
+        @openssl@/bin/openssl req -x509 -new -nodes -key ca.key -sha256 -days 1 -out ca.cer -subj "/C=AL/ST=a/L=a/O=a/OU=a/CN=example.org"
+        MITM_CACHE_HOST="127.0.0.1"
+        MITM_CACHE_PORT="${mitmCachePort:-$(@ephemeral_port_reserve@/bin/ephemeral-port-reserve "$MITM_CACHE_HOST")}"
+        MITM_CACHE_ADDRESS="$MITM_CACHE_HOST:$MITM_CACHE_PORT"
+        export http_proxy="$MITM_CACHE_ADDRESS"
+        export https_proxy="$MITM_CACHE_ADDRESS"
+        export SSL_CERT_FILE="$MITM_CACHE_CA"
+        export NIX_SSL_CERT_FILE="$MITM_CACHE_CA"
+        mitm-cache -l"$MITM_CACHE_ADDRESS" replay "$mitmCache" >/dev/null 2>/dev/null &
+        popd
+    fi
+}
+
+# prepend it so any other configure hooks can use the generated root CA
+preConfigureHooks=(mitmCacheConfigureHook "${preConfigureHooks[@]}")
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 27412bbac617..d26f1cdcd4af 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -1391,6 +1391,10 @@ with pkgs;
 
   makeHardcodeGsettingsPatch = callPackage ../build-support/make-hardcode-gsettings-patch { };
 
+  mitm-cache = callPackage ../build-support/mitm-cache {
+    inherit (darwin.apple_sdk.frameworks) Security;
+  };
+
   # intended to be used like nix-build -E 'with import <nixpkgs> { }; enableDebugging fooPackage'
   enableDebugging = pkg: pkg.override { stdenv = stdenvAdapters.keepDebugInfo pkg.stdenv; };