about summary refs log tree commit diff
path: root/pkgs/by-name/un/unbound/package.nix
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/by-name/un/unbound/package.nix')
-rw-r--r--pkgs/by-name/un/unbound/package.nix170
1 files changed, 170 insertions, 0 deletions
diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix
new file mode 100644
index 0000000000000..1a9025a4a9078
--- /dev/null
+++ b/pkgs/by-name/un/unbound/package.nix
@@ -0,0 +1,170 @@
+{ stdenv
+, lib
+, fetchurl
+, openssl
+, nettle
+, expat
+, libevent
+, libsodium
+, protobufc
+, hiredis
+, python ? null
+, swig
+, dns-root-data
+, pkg-config
+, makeWrapper
+, symlinkJoin
+, bison
+, nixosTests
+  #
+  # By default unbound will not be built with systemd support. Unbound is a very
+  # common dependency. The transitive dependency closure of systemd also
+  # contains unbound.
+  # Since most (all?) (lib)unbound users outside of the unbound daemon usage do
+  # not need the systemd integration it is likely best to just default to no
+  # systemd integration.
+  # For the daemon use-case, that needs to notify systemd, use `unbound-with-systemd`.
+  #
+, withSystemd ? false
+, systemd ? null
+  # optionally support DNS-over-HTTPS as a server
+, withDoH ? false
+, withECS ? false
+, withDNSCrypt ? false
+, withDNSTAP ? false
+, withTFO ? false
+, withRedis ? false
+# Avoid .lib depending on lib.getLib openssl
+# The build gets a little hacky, so in some cases we disable this approach.
+, withSlimLib ? stdenv.isLinux && !stdenv.hostPlatform.isMusl && !withDNSTAP
+# enable support for python plugins in unbound: note this is distinct from pyunbound
+# see https://unbound.docs.nlnetlabs.nl/en/latest/developer/python-modules.html
+, withPythonModule ? false
+, withLto ? !stdenv.hostPlatform.isStatic && !stdenv.hostPlatform.isMinGW
+, withMakeWrapper ? !stdenv.hostPlatform.isMinGW
+, libnghttp2
+
+# for passthru.tests
+, gnutls
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "unbound";
+  version = "1.20.0";
+
+  src = fetchurl {
+    url = "https://nlnetlabs.nl/downloads/unbound/unbound-${finalAttrs.version}.tar.gz";
+    hash = "sha256-VrTO7TNjlSIAD9lndVdt34eCuzYXYQcV1/Hnd8XsHb8=";
+  };
+
+  outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
+
+  nativeBuildInputs =
+    lib.optionals withMakeWrapper [ makeWrapper ]
+    ++ lib.optionals withDNSTAP [ protobufc ]
+    ++ [ pkg-config ]
+    ++ lib.optionals withPythonModule [ swig ];
+
+  buildInputs = [ openssl nettle expat libevent ]
+    ++ lib.optionals withSystemd [ systemd ]
+    ++ lib.optionals withDoH [ libnghttp2 ]
+    ++ lib.optionals withPythonModule [ python ];
+
+  enableParallelBuilding = true;
+
+  configureFlags = [
+    "--with-ssl=${openssl.dev}"
+    "--with-libexpat=${expat.dev}"
+    "--with-libevent=${libevent.dev}"
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "--sbindir=\${out}/bin"
+    "--with-rootkey-file=${dns-root-data}/root.key"
+    "--enable-pie"
+    "--enable-relro-now"
+  ] ++ lib.optionals (!withLto) [
+    "--disable-flto"
+  ] ++ lib.optionals withSystemd [
+    "--enable-systemd"
+  ] ++ lib.optionals withPythonModule [
+    "--with-pythonmodule"
+  ] ++ lib.optionals withDoH [
+    "--with-libnghttp2=${libnghttp2.dev}"
+  ] ++ lib.optionals withECS [
+    "--enable-subnet"
+  ] ++ lib.optionals withDNSCrypt [
+    "--enable-dnscrypt"
+    "--with-libsodium=${symlinkJoin { name = "libsodium-full"; paths = [ libsodium.dev libsodium.out ]; }}"
+  ] ++ lib.optionals withDNSTAP [
+    "--enable-dnstap"
+  ] ++ lib.optionals withTFO [
+    "--enable-tfo-client"
+    "--enable-tfo-server"
+  ] ++ lib.optionals withRedis [
+    "--enable-cachedb"
+    "--with-libhiredis=${hiredis}"
+  ];
+
+  PROTOC_C = lib.optionalString withDNSTAP "${protobufc}/bin/protoc-c";
+
+  # Remove references to compile-time dependencies that are included in the configure flags
+  postConfigure = let
+    inherit (builtins) storeDir;
+  in ''
+    sed -E '/CONFCMDLINE/ s;${storeDir}/[a-z0-9]{32}-;${storeDir}/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-;g' -i config.h
+  '';
+
+  nativeCheckInputs = [ bison ];
+
+  doCheck = true;
+
+  postPatch = lib.optionalString withPythonModule ''
+    substituteInPlace Makefile.in \
+      --replace "\$(DESTDIR)\$(PYTHON_SITE_PKG)" "$out/${python.sitePackages}"
+  '';
+
+  installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ];
+
+  postInstall = ''
+    make unbound-event-install
+  '' + lib.optionalString withMakeWrapper ''
+    wrapProgram $out/bin/unbound-control-setup \
+      --prefix PATH : ${lib.makeBinPath [ openssl ]}
+  '' + lib.optionalString (withMakeWrapper && withPythonModule) ''
+    wrapProgram $out/bin/unbound \
+      --prefix PYTHONPATH : "$out/${python.sitePackages}" \
+      --argv0 $out/bin/unbound
+  '';
+
+  preFixup = lib.optionalString withSlimLib
+    # Build libunbound again, but only against nettle instead of openssl.
+    # This avoids gnutls.out -> unbound.lib -> lib.getLib openssl.
+    ''
+      configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only"
+      configurePhase
+      buildPhase
+      if [ -n "$doCheck" ]; then
+          checkPhase
+      fi
+      installPhase
+    ''
+  # get rid of runtime dependencies on $dev outputs
+  + ''substituteInPlace "$lib/lib/libunbound.la" ''
+  + lib.concatMapStrings
+    (pkg: lib.optionalString (pkg ? dev) " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' --replace '-R${pkg.dev}/lib' '-R${pkg.out}/lib'")
+    (builtins.filter (p: p != null) finalAttrs.buildInputs);
+
+  passthru.tests = {
+    inherit gnutls;
+    nixos-test = nixosTests.unbound;
+    nixos-test-exporter = nixosTests.prometheus-exporters.unbound;
+  };
+
+  meta = with lib; {
+    description = "Validating, recursive, and caching DNS resolver";
+    license = licenses.bsd3;
+    homepage = "https://www.unbound.net";
+    maintainers = lib.teams.helsinki-systems.members;
+    platforms = platforms.unix ++ platforms.windows;
+  };
+})
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-16 10:52:27 +0000