diff options
Diffstat (limited to 'pkgs/by-name/un/unbound/package.nix')
-rw-r--r-- | pkgs/by-name/un/unbound/package.nix | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix new file mode 100644 index 0000000000000..1a9025a4a9078 --- /dev/null +++ b/pkgs/by-name/un/unbound/package.nix @@ -0,0 +1,170 @@ +{ stdenv +, lib +, fetchurl +, openssl +, nettle +, expat +, libevent +, libsodium +, protobufc +, hiredis +, python ? null +, swig +, dns-root-data +, pkg-config +, makeWrapper +, symlinkJoin +, bison +, nixosTests + # + # By default unbound will not be built with systemd support. Unbound is a very + # common dependency. The transitive dependency closure of systemd also + # contains unbound. + # Since most (all?) (lib)unbound users outside of the unbound daemon usage do + # not need the systemd integration it is likely best to just default to no + # systemd integration. + # For the daemon use-case, that needs to notify systemd, use `unbound-with-systemd`. + # +, withSystemd ? false +, systemd ? null + # optionally support DNS-over-HTTPS as a server +, withDoH ? false +, withECS ? false +, withDNSCrypt ? false +, withDNSTAP ? false +, withTFO ? false +, withRedis ? false +# Avoid .lib depending on lib.getLib openssl +# The build gets a little hacky, so in some cases we disable this approach. +, withSlimLib ? stdenv.isLinux && !stdenv.hostPlatform.isMusl && !withDNSTAP +# enable support for python plugins in unbound: note this is distinct from pyunbound +# see https://unbound.docs.nlnetlabs.nl/en/latest/developer/python-modules.html +, withPythonModule ? false +, withLto ? !stdenv.hostPlatform.isStatic && !stdenv.hostPlatform.isMinGW +, withMakeWrapper ? !stdenv.hostPlatform.isMinGW +, libnghttp2 + +# for passthru.tests +, gnutls +}: + +stdenv.mkDerivation (finalAttrs: { + pname = "unbound"; + version = "1.20.0"; + + src = fetchurl { + url = "https://nlnetlabs.nl/downloads/unbound/unbound-${finalAttrs.version}.tar.gz"; + hash = "sha256-VrTO7TNjlSIAD9lndVdt34eCuzYXYQcV1/Hnd8XsHb8="; + }; + + outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB + + nativeBuildInputs = + lib.optionals withMakeWrapper [ makeWrapper ] + ++ lib.optionals withDNSTAP [ protobufc ] + ++ [ pkg-config ] + ++ lib.optionals withPythonModule [ swig ]; + + buildInputs = [ openssl nettle expat libevent ] + ++ lib.optionals withSystemd [ systemd ] + ++ lib.optionals withDoH [ libnghttp2 ] + ++ lib.optionals withPythonModule [ python ]; + + enableParallelBuilding = true; + + configureFlags = [ + "--with-ssl=${openssl.dev}" + "--with-libexpat=${expat.dev}" + "--with-libevent=${libevent.dev}" + "--localstatedir=/var" + "--sysconfdir=/etc" + "--sbindir=\${out}/bin" + "--with-rootkey-file=${dns-root-data}/root.key" + "--enable-pie" + "--enable-relro-now" + ] ++ lib.optionals (!withLto) [ + "--disable-flto" + ] ++ lib.optionals withSystemd [ + "--enable-systemd" + ] ++ lib.optionals withPythonModule [ + "--with-pythonmodule" + ] ++ lib.optionals withDoH [ + "--with-libnghttp2=${libnghttp2.dev}" + ] ++ lib.optionals withECS [ + "--enable-subnet" + ] ++ lib.optionals withDNSCrypt [ + "--enable-dnscrypt" + "--with-libsodium=${symlinkJoin { name = "libsodium-full"; paths = [ libsodium.dev libsodium.out ]; }}" + ] ++ lib.optionals withDNSTAP [ + "--enable-dnstap" + ] ++ lib.optionals withTFO [ + "--enable-tfo-client" + "--enable-tfo-server" + ] ++ lib.optionals withRedis [ + "--enable-cachedb" + "--with-libhiredis=${hiredis}" + ]; + + PROTOC_C = lib.optionalString withDNSTAP "${protobufc}/bin/protoc-c"; + + # Remove references to compile-time dependencies that are included in the configure flags + postConfigure = let + inherit (builtins) storeDir; + in '' + sed -E '/CONFCMDLINE/ s;${storeDir}/[a-z0-9]{32}-;${storeDir}/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-;g' -i config.h + ''; + + nativeCheckInputs = [ bison ]; + + doCheck = true; + + postPatch = lib.optionalString withPythonModule '' + substituteInPlace Makefile.in \ + --replace "\$(DESTDIR)\$(PYTHON_SITE_PKG)" "$out/${python.sitePackages}" + ''; + + installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ]; + + postInstall = '' + make unbound-event-install + '' + lib.optionalString withMakeWrapper '' + wrapProgram $out/bin/unbound-control-setup \ + --prefix PATH : ${lib.makeBinPath [ openssl ]} + '' + lib.optionalString (withMakeWrapper && withPythonModule) '' + wrapProgram $out/bin/unbound \ + --prefix PYTHONPATH : "$out/${python.sitePackages}" \ + --argv0 $out/bin/unbound + ''; + + preFixup = lib.optionalString withSlimLib + # Build libunbound again, but only against nettle instead of openssl. + # This avoids gnutls.out -> unbound.lib -> lib.getLib openssl. + '' + configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only" + configurePhase + buildPhase + if [ -n "$doCheck" ]; then + checkPhase + fi + installPhase + '' + # get rid of runtime dependencies on $dev outputs + + ''substituteInPlace "$lib/lib/libunbound.la" '' + + lib.concatMapStrings + (pkg: lib.optionalString (pkg ? dev) " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' --replace '-R${pkg.dev}/lib' '-R${pkg.out}/lib'") + (builtins.filter (p: p != null) finalAttrs.buildInputs); + + passthru.tests = { + inherit gnutls; + nixos-test = nixosTests.unbound; + nixos-test-exporter = nixosTests.prometheus-exporters.unbound; + }; + + meta = with lib; { + description = "Validating, recursive, and caching DNS resolver"; + license = licenses.bsd3; + homepage = "https://www.unbound.net"; + maintainers = lib.teams.helsinki-systems.members; + platforms = platforms.unix ++ platforms.windows; + }; +}) |