uboot: (firmwareOdroidC2/C4) don't invoke patch tool, use patches = [] instead

https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L948 this can do it nicely. Signed-off-by: Anton Arapov <anton@deadbeef.mx>
2021-04-03 12:58:10 +02:00 · 2021-04-03 12:58:10 +02:00 · 56de2bcd43
commit 56de2bcd43
30691 changed files with 3076956 additions and 0 deletions
--- a/pkgs/servers/dns/bind/default.nix
+++ b/pkgs/servers/dns/bind/default.nix
@ -0,0 +1,86 @@
+{ config, stdenv, lib, fetchurl, fetchpatch
+, perl, pkg-config
+, libcap, libtool, libxml2, openssl, libuv, nghttp2, jemalloc
+, enableGSSAPI ? true, libkrb5
+, enablePython ? false, python3
+, enableSeccomp ? false, libseccomp
+, buildPackages, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bind";
+  version = "9.18.3";
+
+  src = fetchurl {
+    url = "https://downloads.isc.org/isc/bind9/${version}/${pname}-${version}.tar.xz";
+    sha256 = "sha256-CtjadzvZPLoO9mzIGZlpjr35w+UfrtXlyMHrdcrSrm8=";
+  };
+
+  outputs = [ "out" "lib" "dev" "man" "dnsutils" "host" ];
+
+  patches = [
+    ./dont-keep-configure-flags.patch
+  ];
+
+  nativeBuildInputs = [ perl pkg-config ];
+  buildInputs = [ libtool libxml2 openssl libuv nghttp2 jemalloc ]
+    ++ lib.optional stdenv.isLinux libcap
+    ++ lib.optional enableSeccomp libseccomp
+    ++ lib.optional enableGSSAPI libkrb5
+    ++ lib.optional enablePython (python3.withPackages (ps: with ps; [ ply ]));
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+  configureFlags = [
+    "--localstatedir=/var"
+    "--with-libtool"
+    (if enablePython then "--with-python" else "--without-python")
+    "--without-atf"
+    "--without-dlopen"
+    "--without-docbook-xsl"
+    "--without-idn"
+    "--without-idnlib"
+    "--without-lmdb"
+    "--without-libjson"
+    "--without-pkcs11"
+    "--without-purify"
+    "--with-randomdev=/dev/random"
+    "--with-ecdsa"
+    "--with-gost"
+    "--without-eddsa"
+    "--with-aes"
+  ] ++ lib.optional stdenv.isLinux "--with-libcap=${libcap.dev}"
+    ++ lib.optional enableSeccomp "--enable-seccomp"
+    ++ lib.optional enableGSSAPI "--with-gssapi=${libkrb5.dev}/bin/krb5-config"
+    ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) "BUILD_CC=$(CC_FOR_BUILD)";
+
+  postInstall = ''
+    moveToOutput bin/bind9-config $dev
+
+    moveToOutput bin/host $host
+
+    moveToOutput bin/dig $dnsutils
+    moveToOutput bin/delv $dnsutils
+    moveToOutput bin/nslookup $dnsutils
+    moveToOutput bin/nsupdate $dnsutils
+
+    for f in "$lib/lib/"*.la "$dev/bin/"bind*-config; do
+      sed -i "$f" -e 's|-L${openssl.dev}|-L${lib.getLib openssl}|g'
+    done
+  '';
+
+  doCheck = false; # requires root and the net
+
+  passthru.tests = { inherit (nixosTests) bind; };
+
+  meta = with lib; {
+    homepage = "https://www.isc.org/bind/";
+    description = "Domain name server";
+    license = licenses.mpl20;
+    changelog = "https://downloads.isc.org/isc/bind9/cur/${lib.versions.majorMinor version}/CHANGES";
+    maintainers = with maintainers; [ globin ];
+    platforms = platforms.unix;
+
+    outputsToInstall = [ "out" "dnsutils" "host" ];
+  };
+}
--- a/pkgs/servers/dns/bind/dont-keep-configure-flags.patch
+++ b/pkgs/servers/dns/bind/dont-keep-configure-flags.patch
@ -0,0 +1,40 @@
+diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
+index 82b632ef04..dedfd4d33b 100644
+--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
+@@ -69,7 +69,9 @@ EXTERN const char *named_g_version	INIT(PACKAGE_VERSION);
+ EXTERN const char *named_g_product	INIT(PACKAGE_NAME);
+ EXTERN const char *named_g_description	INIT(PACKAGE_DESCRIPTION);
+ EXTERN const char *named_g_srcid	INIT(PACKAGE_SRCID);
+#if 0
+ EXTERN const char *named_g_configargs	INIT(PACKAGE_CONFIGARGS);
+#endif
+ EXTERN const char *named_g_builder	INIT(PACKAGE_BUILDER);
+ EXTERN in_port_t named_g_port		INIT(0);
+ EXTERN in_port_t named_g_tlsport	INIT(0);
+diff --git a/bin/named/main.c b/bin/named/main.c
+index 9ad2d0e277..9729a2b3fc 100644
+--- a/bin/named/main.c
+++ b/bin/named/main.c
+@@ -481,7 +481,9 @@ printversion(bool verbose) {
+ 	}
+ 
+ 	printf("running on %s\n", named_os_uname());
+#if 0
+ 	printf("built by %s with %s\n", PACKAGE_BUILDER, PACKAGE_CONFIGARGS);
+#endif
+ #ifdef __clang__
+ 	printf("compiled by CLANG %s\n", __VERSION__);
+ #else /* ifdef __clang__ */
+@@ -1027,9 +1029,11 @@ setup(void) {
+ 		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "running on %s",
+ 		      named_os_uname());
+ 
+#if 0
+ 	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+ 		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "built with %s",
+ 		      PACKAGE_CONFIGARGS);
+#endif
+ 
+ 	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+ 		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
--- a/pkgs/servers/dns/coredns/default.nix
+++ b/pkgs/servers/dns/coredns/default.nix
@ -0,0 +1,38 @@
+{ lib
+, stdenv
+, buildGoModule
+, fetchFromGitHub
+}:
+
+buildGoModule rec {
+  pname = "coredns";
+  version = "1.9.2";
+
+  src = fetchFromGitHub {
+    owner = "coredns";
+    repo = "coredns";
+    rev = "v${version}";
+    sha256 = "sha256-6ABcXRuPEkzhjVZcltPoWGAc+fs6FwmgQCMRuLmhXxo=";
+  };
+
+  vendorSha256 = "sha256-0S77748voNlIuY6yUAa669pB09h35THojCyQKUm5VFc=";
+
+  postPatch = ''
+    substituteInPlace test/file_cname_proxy_test.go \
+      --replace "TestZoneExternalCNAMELookupWithProxy" \
+                "SkipZoneExternalCNAMELookupWithProxy"
+
+    substituteInPlace test/readme_test.go \
+      --replace "TestReadme" "SkipReadme"
+  '' + lib.optionalString stdenv.isDarwin ''
+    # loopback interface is lo0 on macos
+    sed -E -i 's/\blo\b/lo0/' plugin/bind/setup_test.go
+  '';
+
+  meta = with lib; {
+    homepage = "https://coredns.io";
+    description = "A DNS server that runs middleware";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ rushmorem rtreffer deltaevo superherointj ];
+  };
+}
--- a/pkgs/servers/dns/dnsdist/default.nix
+++ b/pkgs/servers/dns/dnsdist/default.nix
@ -0,0 +1,52 @@
+{ lib, stdenv, fetchurl, pkg-config, systemd
+, boost, libsodium, libedit, re2
+, net-snmp, lua, protobuf, openssl, zlib, h2o
+, nghttp2, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "dnsdist";
+  version = "1.7.0";
+
+  src = fetchurl {
+    url = "https://downloads.powerdns.com/releases/dnsdist-${version}.tar.bz2";
+    sha256 = "sha256-eMxyywzPf7Xz8vrgnHntplpSVjdNoJu1Qbc16mho/GQ=";
+  };
+
+  patches = [
+    # Disable tests requiring networking:
+    # "Error connecting to new server with address 192.0.2.1:53: connecting socket to 192.0.2.1:53: Network is unreachable"
+    ./disable-network-tests.patch
+  ];
+
+  nativeBuildInputs = [ pkg-config protobuf ];
+  buildInputs = [ systemd boost libsodium libedit re2 net-snmp lua openssl zlib h2o nghttp2 ];
+
+  configureFlags = [
+    "--with-libsodium"
+    "--with-re2"
+    "--enable-dnscrypt"
+    "--enable-dns-over-tls"
+    "--enable-dns-over-https"
+    "--with-protobuf=yes"
+    "--with-net-snmp"
+    "--disable-dependency-tracking"
+    "--enable-unit-tests"
+    "--enable-systemd"
+  ];
+
+  doCheck = true;
+
+  enableParallelBuilding = true;
+
+  passthru.tests = {
+    inherit (nixosTests) dnsdist;
+  };
+
+  meta = with lib; {
+    description = "DNS Loadbalancer";
+    homepage = "https://dnsdist.org";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ jojosch ];
+  };
+}
--- a/pkgs/servers/dns/dnsdist/disable-network-tests.patch
+++ b/pkgs/servers/dns/dnsdist/disable-network-tests.patch
@ -0,0 +1,28 @@
+diff --git a/test-dnsdisttcp_cc.cc b/test-dnsdisttcp_cc.cc
+index 1fbb00e..dc04137 100644
+--- a/test-dnsdisttcp_cc.cc
+++ b/test-dnsdisttcp_cc.cc
+@@ -848,6 +848,7 @@ BOOST_AUTO_TEST_CASE(test_IncomingConnectionWithProxyProtocol_SelfAnswered)
+ 
+ BOOST_AUTO_TEST_CASE(test_IncomingConnection_BackendNoOOOR)
+ {
+  return;
+   auto local = getBackendAddress("1", 80);
+   ClientState localCS(local, true, false, false, "", {});
+   auto tlsCtx = std::make_shared<MockupTLSCtx>();
+@@ -1711,6 +1712,7 @@ BOOST_AUTO_TEST_CASE(test_IncomingConnection_BackendNoOOOR)
+ 
+ BOOST_AUTO_TEST_CASE(test_IncomingConnectionOOOR_BackendOOOR)
+ {
+  return;
+   auto local = getBackendAddress("1", 80);
+   ClientState localCS(local, true, false, false, "", {});
+   /* enable out-of-order on the front side */
+@@ -3677,6 +3679,7 @@ BOOST_AUTO_TEST_CASE(test_IncomingConnectionOOOR_BackendOOOR)
+ 
+ BOOST_AUTO_TEST_CASE(test_IncomingConnectionOOOR_BackendNotOOOR)
+ {
+  return;
+   auto local = getBackendAddress("1", 80);
+   ClientState localCS(local, true, false, false, "", {});
+   /* enable out-of-order on the front side */
--- a/pkgs/servers/dns/doh-proxy-rust/default.nix
+++ b/pkgs/servers/dns/doh-proxy-rust/default.nix
@ -0,0 +1,26 @@
+{ lib, rustPlatform, fetchCrate, stdenv, Security, libiconv, nixosTests }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "doh-proxy-rust";
+  version = "0.9.2";
+
+  src = fetchCrate {
+    inherit version;
+    crateName = "doh-proxy";
+    sha256 = "sha256-/637lR6OycVOOUVe29uFR1LtYIoFJ6gslDV9uAGkU1A=";
+  };
+
+  cargoSha256 = "sha256-tadTyWSuknAjosv7AvZF0/8FlHL/zcFT5LDW1KcMeHI=";
+
+  buildInputs = lib.optionals stdenv.isDarwin [ Security libiconv ];
+
+  passthru.tests = { inherit (nixosTests) doh-proxy-rust; };
+
+  meta = with lib; {
+    homepage = "https://github.com/jedisct1/doh-server";
+    description = "Fast, mature, secure DoH server proxy written in Rust";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ stephank ];
+    mainProgram = "doh-proxy";
+  };
+}
--- a/pkgs/servers/dns/https-dns-proxy/default.nix
+++ b/pkgs/servers/dns/https-dns-proxy/default.nix
@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, cmake, gtest, c-ares, curl, libev }:
+
+stdenv.mkDerivation rec {
+  pname = "https-dns-proxy";
+  # there are no stable releases (yet?)
+  version = "unstable-2021-03-29";
+
+  src = fetchFromGitHub {
+    owner = "aarond10";
+    repo = "https_dns_proxy";
+    rev = "bbd9ef272dcda3ead515871f594768af13192af7";
+    sha256 = "sha256-r+IpDklI3vITK8ZlZvIFm3JdDe2r8DK2ND3n1a/ThrM=";
+  };
+
+  nativeBuildInputs = [ cmake gtest ];
+
+  buildInputs = [ c-ares curl libev ];
+
+  installPhase = ''
+    install -Dm555 -t $out/bin https_dns_proxy
+    install -Dm444 -t $out/share/doc/${pname} ../{LICENSE,README}.*
+  '';
+
+  # upstream wants to add tests and the gtest framework is in place, so be ready
+  # for when that happens despite there being none as of right now
+  doCheck = true;
+
+  meta = with lib; {
+    description = "DNS to DNS over HTTPS (DoH) proxy";
+    license = licenses.mit;
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms = platforms.linux;
+  };
+}
--- a/pkgs/servers/dns/knot-dns/default.nix
+++ b/pkgs/servers/dns/knot-dns/default.nix
@ -0,0 +1,69 @@
+{ lib, stdenv, fetchurl, pkg-config, gnutls, liburcu, lmdb, libcap_ng, libidn2, libunistring
+, systemd, nettle, libedit, zlib, libiconv, libintl, libmaxminddb, libbpf, nghttp2, libmnl
+, autoreconfHook, nixosTests, knot-resolver
+}:
+
+stdenv.mkDerivation rec {
+  pname = "knot-dns";
+  version = "3.1.8";
+
+  src = fetchurl {
+    url = "https://secure.nic.cz/files/knot-dns/knot-${version}.tar.xz";
+    sha256 = "767e458a56277a1270b359294c3be6c63fd734884d62a045e01756a46507aa94";
+  };
+
+  outputs = [ "bin" "out" "dev" ];
+
+  configureFlags = [
+    "--with-configdir=/etc/knot"
+    "--with-rundir=/run/knot"
+    "--with-storage=/var/lib/knot"
+  ];
+
+  patches = [
+    # Don't try to create directories like /var/lib/knot at build time.
+    # They are later created from NixOS itself.
+    ./dont-create-run-time-dirs.patch
+    ./runtime-deps.patch
+  ];
+
+  nativeBuildInputs = [ pkg-config autoreconfHook ];
+  buildInputs = [
+    gnutls liburcu libidn2 libunistring
+    nettle libedit
+    libiconv lmdb libintl
+    nghttp2 # DoH support in kdig
+    libmaxminddb # optional for geoip module (it's tiny)
+    # without sphinx &al. for developer documentation
+    # TODO: add dnstap support?
+  ] ++ lib.optionals stdenv.isLinux [
+    libcap_ng systemd
+    libbpf libmnl # XDP support (it's Linux kernel API)
+  ] ++ lib.optional stdenv.isDarwin zlib; # perhaps due to gnutls
+
+  enableParallelBuilding = true;
+
+  CFLAGS = [ "-O2" "-DNDEBUG" ];
+
+  doCheck = true;
+  checkFlags = "V=1"; # verbose output in case some test fails
+  doInstallCheck = true;
+
+  postInstall = ''
+    rm -r "$out"/lib/*.la
+  '';
+
+  passthru.tests = {
+    inherit knot-resolver;
+  } // lib.optionalAttrs stdenv.isLinux {
+    inherit (nixosTests) knot;
+  };
+
+  meta = with lib; {
+    description = "Authoritative-only DNS server from .cz domain registry";
+    homepage = "https://knot-dns.cz";
+    license = licenses.gpl3Plus;
+    platforms = platforms.unix;
+    maintainers = [ maintainers.vcunat ];
+  };
+}
--- a/pkgs/servers/dns/knot-dns/dont-create-run-time-dirs.patch
+++ b/pkgs/servers/dns/knot-dns/dont-create-run-time-dirs.patch
@ -0,0 +1,32 @@
+diff --git a/samples/Makefile.am b/samples/Makefile.am
+index c253c91..107401d 100644
+--- a/samples/Makefile.am
+++ b/samples/Makefile.am
+@@ -19,11 +19,6 @@ EXTRA_DIST = knot.sample.conf.in example.com.zone
+ 
+ if HAVE_DAEMON
+ 
+-install-data-local: knot.sample.conf
+-	if [ \! -f $(DESTDIR)/$(config_dir)/knot.sample.conf ]; then \
+-	  $(INSTALL) -d $(DESTDIR)/$(config_dir); \
+-	  $(INSTALL_DATA) knot.sample.conf $(srcdir)/example.com.zone $(DESTDIR)/$(config_dir); \
+-	fi
+ uninstall-local:
+ 	-rm -rf $(DESTDIR)/$(config_dir)/knot.sample.conf \
+ 	        $(DESTDIR)/$(config_dir)/example.com.zone
+diff --git a/src/utils/Makefile.inc b/src/utils/Makefile.inc
+index e6765d9..d859d23 100644
+--- a/src/utils/Makefile.inc
+++ b/src/utils/Makefile.inc
+@@ -79,11 +79,6 @@ endif HAVE_DNSTAP
+ endif HAVE_UTILS
+ 
+ if HAVE_DAEMON
+-# Create storage and run-time directories
+-install-data-hook:
+-	$(INSTALL) -d $(DESTDIR)/@config_dir@
+-	$(INSTALL) -d $(DESTDIR)/@run_dir@
+-	$(INSTALL) -d $(DESTDIR)/@storage_dir@
+ 
+ sbin_PROGRAMS = knotc knotd
+ 
--- a/pkgs/servers/dns/knot-dns/runtime-deps.patch
+++ b/pkgs/servers/dns/knot-dns/runtime-deps.patch
@ -0,0 +1,14 @@
+Remove unnecessary runtime dependencies.
+
+`knotc status configure` shows summary from the configure script,
+but that contains also references like include paths.
+Filter these at least in a crude way (whole lines).
+--- a/configure.ac
+++ b/configure.ac
+@@ -766,5 +766,5 @@ result_msg_base="  Knot DNS $VERSION
+ 
+-result_msg_esc=$(echo -n "$result_msg_base" | sed '$!s/$/\\n/' | tr -d '\n')
+result_msg_esc=$(echo -n "$result_msg_base" | grep -Fv "$NIX_STORE" | sed '$!s/$/\\n/' | tr -d '\n')
+ 
+ AC_DEFINE_UNQUOTED([CONFIGURE_SUMMARY],["$result_msg_esc"],[Configure summary])
+ 
--- a/pkgs/servers/dns/knot-resolver/default.nix
+++ b/pkgs/servers/dns/knot-resolver/default.nix
@ -0,0 +1,124 @@
+{ lib, stdenv, fetchurl
+# native deps.
+, runCommand, pkg-config, meson, ninja, makeWrapper
+# build+runtime deps.
+, knot-dns, luajitPackages, libuv, gnutls, lmdb
+, systemd, libcap_ng, dns-root-data, nghttp2 # optionals, in principle
+# test-only deps.
+, cmocka, which, cacert
+, extraFeatures ? false /* catch-all if defaults aren't enough */
+}:
+let # un-indented, over the whole file
+
+result = if extraFeatures then wrapped-full else unwrapped;
+
+inherit (lib) optional optionals optionalString;
+lua = luajitPackages;
+
+unwrapped = stdenv.mkDerivation rec {
+  pname = "knot-resolver";
+  version = "5.5.0";
+
+  src = fetchurl {
+    url = "https://secure.nic.cz/files/knot-resolver/${pname}-${version}.tar.xz";
+    sha256 = "4e6f48c74d955f143d603f6072670cb41ab9acdd95d4455d6e74b6908562c55a";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  # Path fixups for the NixOS service.
+  postPatch = ''
+    patch meson.build <<EOF
+    @@ -50,2 +50,2 @@
+    -systemd_work_dir = prefix / get_option('localstatedir') / 'lib' / 'knot-resolver'
+    -systemd_cache_dir = prefix / get_option('localstatedir') / 'cache' / 'knot-resolver'
+    +systemd_work_dir  = '/var/lib/knot-resolver'
+    +systemd_cache_dir = '/var/cache/knot-resolver'
+    EOF
+
+    # ExecStart can't be overwritten in overrides.
+    # We need that to use wrapped executable and correct config file.
+    sed '/^ExecStart=/d' -i systemd/kresd@.service.in
+  ''
+    # some tests have issues with network sandboxing, apparently
+  + optionalString doInstallCheck ''
+    echo 'os.exit(77)' > daemon/lua/trust_anchors.test/bootstrap.test.lua
+    sed -E '/^[[:blank:]]*test_(dstaddr|headers),?$/d' -i \
+      tests/config/doh2.test.lua modules/http/http_doh.test.lua
+  '';
+
+  preConfigure = ''
+    patchShebangs scripts/
+  '';
+
+  nativeBuildInputs = [ pkg-config meson ninja ];
+
+  # http://knot-resolver.readthedocs.io/en/latest/build.html#requirements
+  buildInputs = [ knot-dns lua.lua libuv gnutls lmdb ]
+    ++ optionals stdenv.isLinux [ /*lib*/systemd libcap_ng ]
+    ++ [ nghttp2 ]
+    ## optional dependencies; TODO: dnstap
+    ;
+
+  mesonFlags = [
+    "-Dkeyfile_default=${dns-root-data}/root.ds"
+    "-Droot_hints=${dns-root-data}/root.hints"
+    "-Dinstall_kresd_conf=disabled" # not really useful; examples are inside share/doc/
+    "--default-library=static" # not used by anyone
+  ]
+  ++ optional doInstallCheck "-Dunit_tests=enabled"
+  ++ optional (doInstallCheck && !stdenv.isDarwin) "-Dconfig_tests=enabled"
+  ++ optional stdenv.isLinux "-Dsystemd_files=enabled" # used by NixOS service
+    #"-Dextra_tests=enabled" # not suitable as in-distro tests; many deps, too.
+  ;
+
+  postInstall = ''
+    rm "$out"/lib/libkres.a
+    rm "$out"/lib/knot-resolver/upgrade-4-to-5.lua # not meaningful on NixOS
+  '' + optionalString stdenv.targetPlatform.isLinux ''
+    rm -r "$out"/lib/sysusers.d/ # ATM more likely to harm than help
+  '';
+
+  doInstallCheck = with stdenv; hostPlatform == buildPlatform;
+  installCheckInputs = [ cmocka which cacert lua.cqueues lua.basexx lua.http ];
+  installCheckPhase = ''
+    meson test --print-errorlogs
+  '';
+
+  meta = with lib; {
+    description = "Caching validating DNS resolver, from .cz domain registry";
+    homepage = "https://knot-resolver.cz";
+    license = licenses.gpl3Plus;
+    platforms = platforms.unix;
+    maintainers = [ maintainers.vcunat /* upstream developer */ ];
+  };
+};
+
+wrapped-full = runCommand unwrapped.name
+  {
+    nativeBuildInputs = [ makeWrapper ];
+    buildInputs = with luajitPackages; [
+      # For http module, prefill module, trust anchor bootstrap.
+      # It brings lots of deps; some are useful elsewhere (e.g. cqueues).
+      http
+      # psl isn't in nixpkgs yet, but policy.slice_randomize_psl() seems not important.
+    ];
+    preferLocalBuild = true;
+    allowSubstitutes = false;
+  }
+  ''
+    mkdir -p "$out"/bin
+    makeWrapper '${unwrapped}/bin/kresd' "$out"/bin/kresd \
+      --set LUA_PATH  "$LUA_PATH" \
+      --set LUA_CPATH "$LUA_CPATH"
+
+    ln -sr '${unwrapped}/share' "$out"/
+    ln -sr '${unwrapped}/lib'   "$out"/ # useful in NixOS service
+    ln -sr "$out"/{bin,sbin}
+
+    echo "Checking that 'http' module loads, i.e. lua search paths work:"
+    echo "modules.load('http')" > test-http.lua
+    echo -e 'quit()' | env -i "$out"/bin/kresd -a 127.0.0.1#53535 -c test-http.lua
+  '';
+
+in result
--- a/pkgs/servers/dns/ncdns/default.nix
+++ b/pkgs/servers/dns/ncdns/default.nix
@ -0,0 +1,112 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, nixosTests
+, libcap
+}:
+
+let
+
+  # ncdns source
+  ncdns = fetchFromGitHub {
+    owner = "namecoin";
+    repo = "ncdns";
+    rev = "2a486311b0fe1a921af34aa3b31e6e4e0569accc";
+    sha256 = "01arwlycp1iia4bd3dgyn8dam1av2a7d9hv7f085n14l2i2aza7v";
+  };
+
+  # script to patch the crypto/x509 package
+  x509 = fetchFromGitHub {
+    owner = "namecoin";
+    repo = "x509-compressed";
+    rev = "fb9f2b7bc9fcba954d70f63857cc0c3841b1cf47";
+    sha256 = "1arkbpbzvhcmz5fhjqg34x2jbjnwmlisapk22rjki17qpamh7zks";
+    # ncdns must be put in a subdirectory for this to work.
+    postFetch = ''
+      cp -r --no-preserve=mode "${ncdns}" "$out/ncdns"
+    '';
+  };
+
+in
+
+buildGoModule {
+  pname = "ncdns";
+  version = "unstable-2020-07-18";
+
+  src = x509;
+
+  vendorSha256 = "02bqf6vkj5msk35sr5sklnqqd16n7gns7knzqslw077xrxiz7bsg";
+
+  # Override the go-modules fetcher derivation to apply
+  # upstream's patch of the crypto/x509 library.
+  modBuildPhase = ''
+    go mod init github.com/namecoin/x509-compressed
+    go generate ./...
+    go mod tidy
+
+    cd ncdns
+    go mod init github.com/namecoin/ncdns
+    go mod edit \
+      -replace github.com/coreos/go-systemd=github.com/coreos/go-systemd/v22@latest \
+      -replace github.com/namecoin/x509-compressed=$NIX_BUILD_TOP/source
+    go mod tidy
+  '';
+
+  # Copy over the lockfiles as well, because the source
+  # doesn't contain it. The fixed-output derivation is
+  # probably not reproducible anyway.
+  modInstallPhase = ''
+    mv -t vendor go.mod go.sum
+    cp -r --reflink=auto vendor "$out"
+  '';
+
+  buildInputs = [ libcap ];
+
+  # The fetcher derivation must run with a different
+  # $sourceRoot, but buildGoModule doesn't allow that,
+  # so we use this ugly hack.
+  unpackPhase = ''
+    runHook preUnpack
+
+    unpackFile "$src"
+    sourceRoot=$PWD/source/ncdns
+    chmod -R u+w -- "$sourceRoot"
+    cd $sourceRoot
+
+    runHook postUpack
+  '';
+
+  # Same as above: can't use `patches` because that would
+  # be also applied to the fetcher derivation, thus failing.
+  patchPhase = ''
+    runHook prePatch
+    patch -p1 < ${./fix-tpl-path.patch}
+    runHook postPatch
+  '';
+
+  preBuild = ''
+    chmod -R u+w vendor
+    mv -t . vendor/go.{mod,sum}
+  '';
+
+  preCheck = ''
+    # needed to run the ncdns test suite
+    ln -s $PWD/vendor ../../go/src
+  '';
+
+  postInstall = ''
+    mkdir -p "$out/share"
+    cp -r _doc "$out/share/doc"
+    cp -r _tpl "$out/share/tpl"
+  '';
+
+  meta = with lib; {
+    description = "Namecoin to DNS bridge daemon";
+    homepage = "https://github.com/namecoin/ncdns";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ rnhmjoj ];
+  };
+
+  passthru.tests.ncdns = nixosTests.ncdns;
+
+}
--- a/pkgs/servers/dns/ncdns/fix-tpl-path.patch
+++ b/pkgs/servers/dns/ncdns/fix-tpl-path.patch
@ -0,0 +1,27 @@
+This sets a default value for the tpl directory that works for Nixpkgs.
+
+diff --git a/server/web.go b/server/web.go
+index d024a42..0522d02 100644
+--- a/server/web.go
+++ b/server/web.go
+@@ -10,6 +10,7 @@ import "path/filepath"
+ import "time"
+ import "strings"
+ import "fmt"
+import "os"
+ 
+ var layoutTpl *template.Template
+ var mainPageTpl *template.Template
+@@ -44,7 +45,11 @@ func deriveTemplate(filename string) (*template.Template, error) {
+ }
+ 
+ func (s *Server) tplFilename(filename string) string {
+-	td := filepath.Join(s.cfg.ConfigDir, "..", "tpl")
+	ex, err := os.Executable()
+	if err != nil {
+		panic(err)
+	}
+	td := filepath.Join(filepath.Dir(ex), "..", "share", "tpl")
+ 	if s.cfg.TplPath != "" {
+ 		td = s.cfg.TplPath
+ 	}
--- a/pkgs/servers/dns/nsd/default.nix
+++ b/pkgs/servers/dns/nsd/default.nix
@ -0,0 +1,66 @@
+{ lib, stdenv, fetchurl, libevent, openssl, nixosTests
+, bind8Stats       ? false
+, checking         ? false
+, ipv6             ? true
+, mmap             ? false
+, minimalResponses ? true
+, nsec3            ? true
+, ratelimit        ? false
+, recvmmsg         ? false
+, rootServer       ? false
+, rrtypes          ? false
+, zoneStats        ? false
+
+, configFile ? "/etc/nsd/nsd.conf"
+}:
+
+stdenv.mkDerivation rec {
+  pname = "nsd";
+  version = "4.4.0";
+
+  src = fetchurl {
+    url = "https://www.nlnetlabs.nl/downloads/${pname}/${pname}-${version}.tar.gz";
+    sha256 = "sha256-z81v3Zk0TKWn73wpQMJBvO9HH8MlK6PcvUxX4GOOiDY=";
+  };
+
+  prePatch = ''
+    substituteInPlace nsd-control-setup.sh.in --replace openssl ${openssl}/bin/openssl
+  '';
+
+  buildInputs = [ libevent openssl ];
+
+  configureFlags =
+    let edf = c: o: if c then ["--enable-${o}"] else ["--disable-${o}"];
+     in edf bind8Stats       "bind8-stats"
+     ++ edf checking         "checking"
+     ++ edf ipv6             "ipv6"
+     ++ edf mmap             "mmap"
+     ++ edf minimalResponses "minimal-responses"
+     ++ edf nsec3            "nsec3"
+     ++ edf ratelimit        "ratelimit"
+     ++ edf recvmmsg         "recvmmsg"
+     ++ edf rootServer       "root-server"
+     ++ edf rrtypes          "draft-rrtypes"
+     ++ edf zoneStats        "zone-stats"
+     ++ [ "--with-ssl=${openssl.dev}"
+          "--with-libevent=${libevent.dev}"
+          "--with-nsd_conf_file=${configFile}"
+          "--with-configdir=etc/nsd"
+        ];
+
+  patchPhase = ''
+    sed 's@$(INSTALL_DATA) nsd.conf.sample $(DESTDIR)$(nsdconfigfile).sample@@g' -i Makefile.in
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) nsd;
+  };
+
+  meta = with lib; {
+    homepage = "http://www.nlnetlabs.nl";
+    description = "Authoritative only, high performance, simple and open source name server";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = [ maintainers.hrdinka ];
+  };
+}
--- a/pkgs/servers/dns/pdns-recursor/default.nix
+++ b/pkgs/servers/dns/pdns-recursor/default.nix
@ -0,0 +1,42 @@
+{ lib, stdenv, fetchurl, pkg-config, boost, nixosTests
+, openssl, systemd, lua, luajit, protobuf
+, enableProtoBuf ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "pdns-recursor";
+  version = "4.6.2";
+
+  src = fetchurl {
+    url = "https://downloads.powerdns.com/releases/pdns-recursor-${version}.tar.bz2";
+    sha256 = "sha256-2mSYUHOf3XuvLfZFrMl3UszTkJc7VrjiUXHqew0lrSA=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    boost openssl systemd
+    lua luajit
+  ] ++ lib.optional enableProtoBuf protobuf;
+
+  configureFlags = [
+    "--enable-reproducible"
+    "--enable-systemd"
+  ];
+
+  enableParallelBuilding = true;
+
+  passthru.tests = {
+    inherit (nixosTests) pdns-recursor ncdns;
+  };
+
+  meta = with lib; {
+    description = "A recursive DNS server";
+    homepage = "https://www.powerdns.com/";
+    platforms = platforms.linux;
+    badPlatforms = [
+      "i686-linux"  # a 64-bit time_t is needed
+    ];
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ rnhmjoj ];
+  };
+}
--- a/pkgs/servers/dns/pdns/default.nix
+++ b/pkgs/servers/dns/pdns/default.nix
@ -0,0 +1,64 @@
+{ lib, stdenv, fetchurl, pkg-config, nixosTests
+, boost, libyamlcpp, libsodium, sqlite, protobuf, openssl, systemd
+, mariadb-connector-c, postgresql, lua, openldap, geoip, curl, unixODBC, lmdb, tinycdb
+}:
+
+stdenv.mkDerivation rec {
+  pname = "powerdns";
+  version = "4.6.2";
+
+  src = fetchurl {
+    url = "https://downloads.powerdns.com/releases/pdns-${version}.tar.bz2";
+    hash = "sha256-9EOEiUS7Ebu0hQIhYTs6Af+1f+vyZx2myqVzYu4LGbg=";
+  };
+  # redact configure flags from version output to reduce closure size
+  patches = [ ./version.patch ];
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    boost mariadb-connector-c postgresql lua openldap sqlite protobuf geoip
+    libyamlcpp libsodium curl unixODBC openssl systemd lmdb tinycdb
+  ];
+
+  # Configure phase requires 64-bit time_t even on 32-bit platforms.
+  NIX_CFLAGS_COMPILE = lib.optionals stdenv.hostPlatform.is32bit [
+    "-D_TIME_BITS=64" "-D_FILE_OFFSET_BITS=64"
+  ];
+
+  configureFlags = [
+    "--disable-silent-rules"
+    "--enable-dns-over-tls"
+    "--enable-unit-tests"
+    "--enable-reproducible"
+    "--enable-tools"
+    "--enable-ixfrdist"
+    "--enable-systemd"
+    "--with-libsodium"
+    "--with-sqlite3"
+    "--with-libcrypto=${openssl.dev}"
+  ];
+
+  # nix destroy with-modules arguments, when using configureFlags
+  preConfigure = ''
+    configureFlagsArray+=(
+      "--with-modules="
+      "--with-dynmodules=bind geoip gmysql godbc gpgsql gsqlite3 ldap lmdb lua2 pipe remote tinydns"
+    )
+  '';
+
+  enableParallelBuilding = true;
+  doCheck = true;
+
+  passthru.tests = {
+    nixos = nixosTests.powerdns;
+  };
+
+  meta = with lib; {
+    description = "Authoritative DNS server";
+    homepage = "https://www.powerdns.com";
+    platforms = platforms.unix;
+    broken = stdenv.isDarwin;
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ mic92 disassembler nickcao ];
+  };
+}
--- a/pkgs/servers/dns/pdns/version.patch
+++ b/pkgs/servers/dns/pdns/version.patch
@ -0,0 +1,13 @@
+diff --git a/pdns/version.cc b/pdns/version.cc
+index d8f5d40..1368481 100644
+--- a/pdns/version.cc
+++ b/pdns/version.cc
+@@ -155,7 +155,7 @@ void showBuildConfiguration()
+ #ifdef PDNS_CONFIG_ARGS
+ #define double_escape(s) #s
+ #define escape_quotes(s) double_escape(s)
+-  g_log<<Logger::Warning<<"Configured with: "<<escape_quotes(PDNS_CONFIG_ARGS)<<endl;
+  g_log<<Logger::Warning<<"Configured with: "<<"redacted"<<endl;
+ #undef escape_quotes
+ #undef double_escape
+ #endif