# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 PYTHON_COMPAT=( python3_{10..12} ) VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/unbound.net.asc inherit autotools flag-o-matic multilib-minimal python-single-r1 systemd verify-sig MY_P=${PN}-${PV/_/} DESCRIPTION="A validating, recursive and caching DNS resolver" HOMEPAGE="https://unbound.net/ https://nlnetlabs.nl/projects/unbound/about/" SRC_URI=" https://nlnetlabs.nl/downloads/unbound/${MY_P}.tar.gz verify-sig? ( https://nlnetlabs.nl/downloads/unbound/${MY_P}.tar.gz.asc ) " S="${WORKDIR}"/${MY_P} LICENSE="BSD GPL-2" SLOT="0/8" # ABI version of libunbound.so if [[ ${PV} != *_rc* ]] ; then KEYWORDS="~alpha amd64 arm arm64 ~hppa ~mips ppc ppc64 ~riscv ~sparc x86" fi IUSE="debug dnscrypt dnstap +ecdsa ecs gost +http2 +ipset python redis selinux static-libs systemd test +tfo threads" REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" RESTRICT="!test? ( test )" # Note: expat is needed by executable only but the Makefile is custom # and doesn't make it possible to easily install the library without # the executables. MULTILIB_USEDEP may be dropped once build system # is fixed. DEPEND=" acct-group/unbound acct-user/unbound >=dev-libs/expat-2.1.0-r3[${MULTILIB_USEDEP}] >=dev-libs/libevent-2.0.21:0=[${MULTILIB_USEDEP}] >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] dnscrypt? ( dev-libs/libsodium:=[${MULTILIB_USEDEP}] ) dnstap? ( dev-libs/fstrm[${MULTILIB_USEDEP}] >=dev-libs/protobuf-c-1.0.2-r1:=[${MULTILIB_USEDEP}] ) ecdsa? ( dev-libs/openssl:0[-bindist(-)] ) http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] ) python? ( ${PYTHON_DEPS} ) redis? ( dev-libs/hiredis:= ) systemd? ( sys-apps/systemd ) " BDEPEND=" virtual/pkgconfig python? ( dev-lang/swig ) test? ( net-libs/ldns[examples(-)] dev-util/splint app-text/wdiff ) verify-sig? ( sec-keys/openpgp-keys-unbound ) " RDEPEND=" ${DEPEND} net-dns/dnssec-root selinux? ( sec-policy/selinux-bind ) " QA_CONFIG_IMPL_DECL_SKIP=( ioctlsocket # not on Linux (bug #900060) ) PATCHES=( "${FILESDIR}"/${PN}-1.5.7-trust-anchor-file.patch "${FILESDIR}"/${PN}-1.6.3-pkg-config.patch "${FILESDIR}"/${PN}-1.10.1-find-ar.patch ) pkg_setup() { use python && python-single-r1_pkg_setup } src_prepare() { default eautoreconf # Required for the python part multilib_copy_sources } src_configure() { [[ ${CHOST} == *-darwin* ]] || append-ldflags -Wl,-z,noexecstack multilib-minimal_src_configure } multilib_src_configure() { local myeconfargs=( $(multilib_native_use_enable debug) $(multilib_native_use_enable gost) $(multilib_native_use_enable dnscrypt) $(multilib_native_use_enable dnstap) $(multilib_native_use_enable ecdsa) $(multilib_native_use_enable ecs subnet) $(multilib_native_use_enable ipset) $(multilib_native_use_enable redis cachedb) $(multilib_native_use_enable static-libs static) $(multilib_native_use_enable systemd) $(multilib_native_use_with python pythonmodule) $(multilib_native_use_with python pyunbound) $(multilib_native_use_with threads pthreads) $(multilib_native_use_with http2 libnghttp2) $(multilib_native_use_enable tfo tfo-client) $(multilib_native_use_enable tfo tfo-server) --disable-flto --disable-rpath --enable-event-api --enable-ipsecmod --with-libevent="${ESYSROOT}"/usr $(multilib_native_usex redis --with-libhiredis="${ESYSROOT}/usr" --without-libhiredis) --with-pidfile="${EPREFIX}"/run/unbound.pid --with-rootkey-file="${EPREFIX}"/etc/dnssec/root-anchors.txt --with-ssl="${ESYSROOT}"/usr --with-libexpat="${ESYSROOT}"/usr # http://unbound.nlnetlabs.nl/pipermail/unbound-users/2011-April/001801.html # $(use_enable debug lock-checks) # $(use_enable debug alloc-checks) # $(use_enable debug alloc-lite) # $(use_enable debug alloc-nonregional) ) econf "${myeconfargs[@]}" } multilib_src_install() { emake DESTDIR="${D}" install systemd_dounit contrib/unbound.service systemd_dounit contrib/unbound.socket } multilib_src_install_all() { use python && python_optimize newinitd "${FILESDIR}"/unbound-r1.initd unbound newconfd "${FILESDIR}"/unbound-r1.confd unbound systemd_newunit "${FILESDIR}"/unbound_at.service "unbound@.service" systemd_dounit "${FILESDIR}"/unbound-anchor.service dodoc doc/{README,CREDITS,TODO,Changelog,FEATURES} # bug #315519 dodoc contrib/unbound_munin_ docinto selinux dodoc contrib/selinux/* exeinto /usr/share/${PN} doexe contrib/update-anchor.sh # Create space for auto-trust-anchor-file... keepdir /etc/unbound/var fowners root:unbound /etc/unbound/var fperms 0770 /etc/unbound/var # ... and point example config to it sed -i \ -e '/# auto-trust-anchor-file:/s,/etc/dnssec/root-anchors.txt,/etc/unbound/var/root-anchors.txt,' \ "${ED}/etc/unbound/unbound.conf" \ || die # Used to store cache data keepdir /var/lib/${PN} fowners root:unbound /var/lib/${PN} fperms 0770 /var/lib/${PN} find "${ED}" -name '*.la' -delete || die if ! use static-libs ; then find "${ED}" -name "*.a" -delete || die fi } pkg_postinst() { if [[ ! -f "${EROOT}/etc/unbound/unbound_control.key" ]]; then einfo "Trying to create unbound control key ..." if ! unbound-control-setup &>/dev/null ; then ewarn "Failed to create unbound control key!" fi fi if [[ ! -f "${EROOT}/etc/unbound/var/root-anchors.txt" ]]; then einfo "" einfo "If you want unbound to automatically update the root-anchor file for DNSSEC validation" einfo "set 'auto-trust-anchor-file: ${EROOT}/etc/unbound/var/root-anchors.txt' in ${EROOT}/etc/unbound/unbound.conf" einfo "and run" einfo "" einfo " su -s /bin/sh -c '${EROOT}/usr/sbin/unbound-anchor -a ${EROOT}/etc/unbound/var/root-anchors.txt' unbound" einfo "" einfo "as root to create it initially before starting unbound for the first time after enabling this." einfo "" fi # Our user is not available on prefix use prefix && return local _perm_check_testfile=$(mktemp --dry-run "${EPREFIX}"/etc/unbound/var/.pkg_postinst-perm-check.XXXXXXXXX) su -s /bin/sh -c "touch ${_perm_check_testfile}" unbound &>/dev/null if [[ $? -ne 0 ]]; then ewarn "WARNING: unbound user cannot write to \"${EPREFIX}/etc/unbound/var\"!" ewarn "Run the following commands to restore default permission:" ewarn "" ewarn " chown root:unbound ${EPREFIX}/etc/unbound/var" ewarn " chmod 0770 ${EPREFIX}/etc/unbound/var" else # Cleanup -- no reason to die here! rm -f "${_perm_check_testfile}" fi }