unbound: lighten direct security deps of libunbound

Unfortunately, it seems easiest to build all twice.
Debian testing does this in a very similar way.

Tested briefly some individual queries and resperf :-)

1 files changed, 14 insertions, 5 deletions

diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix
index 83d3d88729df..f32a90a871ae 100644
--- a/pkgs/tools/networking/unbound/default.nix
+++ b/pkgs/tools/networking/unbound/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, openssl, expat, libevent }:
+{ stdenv, fetchurl, openssl, nettle, expat, libevent }:
 
 stdenv.mkDerivation rec {
   name = "unbound-${version}";
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
 
-  buildInputs = [ openssl expat libevent ];
+  buildInputs = [ openssl nettle expat libevent ];
 
   configureFlags = [
     "--with-ssl=${openssl.dev}"
@@ -26,11 +26,20 @@ stdenv.mkDerivation rec {
 
   installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ];
 
-  # get rid of runtime dependencies on $dev outputs
-  postInstall = ''substituteInPlace "$lib/lib/libunbound.la" ''
+  preFixup =
+    # Build libunbound again, but only against nettle instead of openssl.
+    # This avoids gnutls.out -> unbound.lib -> openssl.out.
+    ''
+      configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only"
+      configurePhase
+      buildPhase
+      installPhase
+    ''
+    # get rid of runtime dependencies on $dev outputs
+  + ''substituteInPlace "$lib/lib/libunbound.la" ''
     + stdenv.lib.concatMapStrings
       (pkg: " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' ")
-      [ openssl expat libevent ];
+      buildInputs;
 
   meta = with stdenv.lib; {
     description = "Validating, recursive, and caching DNS resolver";