| blob | 9c789a3b05641c72ed3c8d00a7ef073842b3cfc3 |
1 { stdenv
2 , lib
3 , fetchurl
4 , openssl
5 , nettle
6 , expat
7 , libevent
8 , libsodium
9 , protobufc
10 , hiredis
11 , python ? null
12 , swig
13 , dns-root-data
14 , pkg-config
15 , makeWrapper
16 , symlinkJoin
17 , bison
18 , nixosTests
19 #
20 # By default unbound will not be built with systemd support. Unbound is a very
21 # common dependency. The transitive dependency closure of systemd also
22 # contains unbound.
23 # Since most (all?) (lib)unbound users outside of the unbound daemon usage do
24 # not need the systemd integration it is likely best to just default to no
25 # systemd integration.
26 # For the daemon use-case, that needs to notify systemd, use `unbound-with-systemd`.
27 #
28 , withSystemd ? false
29 , systemd ? null
30 # optionally support DNS-over-HTTPS as a server
31 , withDoH ? false
32 , withECS ? false
33 , withDNSCrypt ? false
34 , withDNSTAP ? false
35 , withTFO ? false
36 , withRedis ? false
37 # Avoid .lib depending on lib.getLib openssl
38 # The build gets a little hacky, so in some cases we disable this approach.
39 , withSlimLib ? stdenv.hostPlatform.isLinux && !stdenv.hostPlatform.isMusl && !withDNSTAP
40 # enable support for python plugins in unbound: note this is distinct from pyunbound
41 # see https://unbound.docs.nlnetlabs.nl/en/latest/developer/python-modules.html
42 , withPythonModule ? false
43 , withLto ? !stdenv.hostPlatform.isStatic && !stdenv.hostPlatform.isMinGW
44 , withMakeWrapper ? !stdenv.hostPlatform.isMinGW
45 , libnghttp2
47 # for passthru.tests
48 , gnutls
49 }:
51 stdenv.mkDerivation (finalAttrs: {
52 pname = "unbound";
53 version = "1.21.0";
55 src = fetchurl {
56 url = "https://nlnetlabs.nl/downloads/unbound/unbound-${finalAttrs.version}.tar.gz";
57 hash = "sha256-59yn1rD4G9+m+mTr8QU7WpmaWukniofvGCQlBn6hRSE=";
58 };
60 outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
62 nativeBuildInputs =
63 lib.optionals withMakeWrapper [ makeWrapper ]
64 ++ lib.optionals withDNSTAP [ protobufc ]
65 ++ [ pkg-config ]
66 ++ lib.optionals withPythonModule [ swig ];
68 buildInputs = [ openssl nettle expat libevent ]
69 ++ lib.optionals withSystemd [ systemd ]
70 ++ lib.optionals withDoH [ libnghttp2 ]
71 ++ lib.optionals withPythonModule [ python ];
73 enableParallelBuilding = true;
75 configureFlags = [
76 "--with-ssl=${openssl.dev}"
77 "--with-libexpat=${expat.dev}"
78 "--with-libevent=${libevent.dev}"
79 "--localstatedir=/var"
80 "--sysconfdir=/etc"
81 "--sbindir=\${out}/bin"
82 "--with-rootkey-file=${dns-root-data}/root.key"
83 "--enable-pie"
84 "--enable-relro-now"
85 ] ++ lib.optionals (!withLto) [
86 "--disable-flto"
87 ] ++ lib.optionals withSystemd [
88 "--enable-systemd"
89 ] ++ lib.optionals withPythonModule [
90 "--with-pythonmodule"
91 ] ++ lib.optionals withDoH [
92 "--with-libnghttp2=${libnghttp2.dev}"
93 ] ++ lib.optionals withECS [
94 "--enable-subnet"
95 ] ++ lib.optionals withDNSCrypt [
96 "--enable-dnscrypt"
97 "--with-libsodium=${symlinkJoin { name = "libsodium-full"; paths = [ libsodium.dev libsodium.out ]; }}"
98 ] ++ lib.optionals withDNSTAP [
99 "--enable-dnstap"
100 ] ++ lib.optionals withTFO [
101 "--enable-tfo-client"
102 "--enable-tfo-server"
103 ] ++ lib.optionals withRedis [
104 "--enable-cachedb"
105 "--with-libhiredis=${hiredis}"
106 ];
108 PROTOC_C = lib.optionalString withDNSTAP "${protobufc}/bin/protoc-c";
110 # Remove references to compile-time dependencies that are included in the configure flags
111 postConfigure = let
112 inherit (builtins) storeDir;
113 in ''
114 sed -E '/CONFCMDLINE/ s;${storeDir}/[a-z0-9]{32}-;${storeDir}/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-;g' -i config.h
115 '';
117 nativeCheckInputs = [ bison ];
119 doCheck = true;
121 postPatch = lib.optionalString withPythonModule ''
122 substituteInPlace Makefile.in \
123 --replace "\$(DESTDIR)\$(PYTHON_SITE_PKG)" "$out/${python.sitePackages}"
124 '';
126 installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ];
128 postInstall = ''
129 make unbound-event-install
130 '' + lib.optionalString withMakeWrapper ''
131 wrapProgram $out/bin/unbound-control-setup \
132 --prefix PATH : ${lib.makeBinPath [ openssl ]}
133 '' + lib.optionalString (withMakeWrapper && withPythonModule) ''
134 wrapProgram $out/bin/unbound \
135 --prefix PYTHONPATH : "$out/${python.sitePackages}" \
136 --argv0 $out/bin/unbound
137 '';
139 preFixup = lib.optionalString withSlimLib
140 # Build libunbound again, but only against nettle instead of openssl.
141 # This avoids gnutls.out -> unbound.lib -> lib.getLib openssl.
142 ''
143 configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only"
144 configurePhase
145 buildPhase
146 if [ -n "$doCheck" ]; then
147 checkPhase
148 fi
149 installPhase
150 ''
151 # get rid of runtime dependencies on $dev outputs
152 + ''substituteInPlace "$lib/lib/libunbound.la" ''
153 + lib.concatMapStrings
154 (pkg: lib.optionalString (pkg ? dev) " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' --replace '-R${pkg.dev}/lib' '-R${pkg.out}/lib'")
155 (builtins.filter (p: p != null) finalAttrs.buildInputs);
157 passthru.tests = {
158 inherit gnutls;
159 nixos-test = nixosTests.unbound;
160 nixos-test-exporter = nixosTests.prometheus-exporters.unbound;
161 };
163 meta = with lib; {
164 description = "Validating, recursive, and caching DNS resolver";
165 license = licenses.bsd3;
166 homepage = "https://www.unbound.net";
167 maintainers = lib.teams.helsinki-systems.members;
168 platforms = platforms.unix ++ platforms.windows;
169 };
170 })