unbound: lighten direct security deps of libunbound

Unfortunately, it seems easiest to build all twice. Debian testing does this in a very similar way. Tested briefly some individual queries and resperf :-)
2025-01-31 09:14:28 +00:00 · 2017-02-27 17:41:35 +01:00 · 2017-02-27 17:41:35 +01:00 · d00c26a595
commit d00c26a595
parent 78e4f9d8d7
1 changed files with 14 additions and 5 deletions
--- a/pkgs/tools/networking/unbound/default.nix
+++ b/pkgs/tools/networking/unbound/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl, openssl, expat, libevent }:
+{ stdenv, fetchurl, openssl, nettle, expat, libevent }:

 stdenv.mkDerivation rec {
  name = "unbound-${version}";
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {

  outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB

-  buildInputs = [ openssl expat libevent ];
+  buildInputs = [ openssl nettle expat libevent ];

  configureFlags = [
    "--with-ssl=${openssl.dev}"
@ -26,11 +26,20 @@ stdenv.mkDerivation rec {

  installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ];

-  # get rid of runtime dependencies on $dev outputs
-  postInstall = ''substituteInPlace "$lib/lib/libunbound.la" ''
+  preFixup =
+    # Build libunbound again, but only against nettle instead of openssl.
+    # This avoids gnutls.out -> unbound.lib -> openssl.out.
+    ''
+      configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only"
+      configurePhase
+      buildPhase
+      installPhase
+    ''
+    # get rid of runtime dependencies on $dev outputs
+  + ''substituteInPlace "$lib/lib/libunbound.la" ''
    + stdenv.lib.concatMapStrings
      (pkg: " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' ")
-      [ openssl expat libevent ];
+      buildInputs;

  meta = with stdenv.lib; {
    description = "Validating, recursive, and caching DNS resolver";