knot-resolver: 3.2.1 -> 4.0.0

https://lists.nic.cz/pipermail/knot-resolver-users/2019/000136.html

Similar commit worked fine for me, including the nixos service.
I'd like to still improve the service to support easy passing of sockets
to http module.

(cherry picked from commit 9efdd2e434)
I'm really sorry to pull a "major" update, but the upcoming security
fixes are rather hard to backport correctly.  Please contact me in case
you run into problems when upgrading.

nixos/modules/services/networking/kresd.nix

@@ -80,8 +80,11 @@ in
         # Syntax depends on being IPv6 or IPv4.
         (iface: if elem ":" (stringToCharacters iface) then "[${iface}]:53" else "${iface}:53")
         cfg.interfaces;
-      socketConfig.ListenDatagram = listenStreams;
-      socketConfig.FreeBind = true;
+      socketConfig = {
+        ListenDatagram = listenStreams;
+        FreeBind = true;
+        FileDescriptorName = "dns";
+      };
     };
 
     systemd.sockets.kresd-tls = mkIf (cfg.listenTLS != []) rec {

pkgs/servers/dns/knot-resolver/default.nix

@@ -1,68 +1,70 @@
-{ stdenv, fetchurl, fetchpatch, runCommand, pkgconfig, hexdump, which
-, knot-dns, luajit, libuv, lmdb, gnutls, nettle
-, cmocka, systemd, dns-root-data, makeWrapper
+{ stdenv, fetchurl
+# native deps.
+, runCommand, pkgconfig, meson, ninja, makeWrapper
+# build+runtime deps.
+, knot-dns, luajitPackages, libuv, gnutls, lmdb, systemd, dns-root-data
+# test-only deps.
+, cmocka, which, cacert
 , extraFeatures ? false /* catch-all if defaults aren't enough */
-, luajitPackages
 }:
 let # un-indented, over the whole file
 
 result = if extraFeatures then wrapped-full else unwrapped;
 
-inherit (stdenv.lib) optional concatStringsSep;
+inherit (stdenv.lib) optional optionals concatStringsSep;
+lua = luajitPackages;
+
+# FIXME: remove these usages once resolving
+# https://github.com/NixOS/nixpkgs/pull/63108#issuecomment-508670438
+exportLuaPathsFor = luaPkgs: ''
+  export LUA_PATH='${ concatStringsSep ";" (map lua.getLuaPath  luaPkgs)}'
+  export LUA_CPATH='${concatStringsSep ";" (map lua.getLuaCPath luaPkgs)}'
+'';
 
 unwrapped = stdenv.mkDerivation rec {
   name = "knot-resolver-${version}";
-  version = "3.2.1";
+  version = "4.0.0";
 
   src = fetchurl {
     url = "https://secure.nic.cz/files/knot-resolver/${name}.tar.xz";
-    sha256 = "d1396888ec3a63f19dccdf2b7dbcb0d16a5d8642766824b47f4c21be90ce362b";
+    sha256 = "37161d931e64535ce38c33b9635f06a43cd1541945bf2c79a55e37f230de1631";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "support-libzscanner-2.8.diff";
-      url = "https://gitlab.labs.nic.cz/knot/knot-resolver/commit/186f263.diff";
-      sha256 = "19zqigvc7m2a4j6bk9whx7gj0v009568rz5qwk052z7pzfikr8mk";
-    })
-  ];
-
-  # Short-lived cross fix, as upstream is migrating to meson anyway.
-  postPatch = ''
-    substituteInPlace platform.mk --replace "objdump" "$OBJDUMP"
-  '';
-
   outputs = [ "out" "dev" ];
 
-  configurePhase = "patchShebangs scripts/";
+  preConfigure = ''
+    patchShebangs scripts/
+  ''
+    + stdenv.lib.optionalString doInstallCheck (exportLuaPathsFor [ lua.cqueues lua.basexx ]);
 
-  nativeBuildInputs = [ pkgconfig which hexdump ];
+  nativeBuildInputs = [ pkgconfig meson ninja ];
 
   # http://knot-resolver.readthedocs.io/en/latest/build.html#requirements
-  buildInputs = [ knot-dns luajit libuv gnutls nettle lmdb ]
-    ++ optional stdenv.isLinux systemd # sd_notify
+  buildInputs = [ knot-dns lua.lua libuv gnutls lmdb ]
+    ++ optional stdenv.isLinux systemd # passing sockets, sd_notify
     ## optional dependencies; TODO: libedit, dnstap
     ;
 
-  checkInputs = [ cmocka ];
-
-  makeFlags = [
-    "PREFIX=$(out)"
-    "ROOTHINTS=${dns-root-data}/root.hints"
-    "KEYFILE_DEFAULT=${dns-root-data}/root.ds"
+  mesonFlags = [
+    "-Dkeyfile_default=${dns-root-data}/root.ds"
+    "-Droot_hints=${dns-root-data}/root.hints"
+    "-Dinstall_kresd_conf=disabled" # not really useful; examples are inside share/doc/
+    "--default-library=static" # not used by anyone
+  ]
+  ++ optionals doInstallCheck [
+    "-Dunit_tests=enabled"
+    "-Dconfig_tests=enabled"
+    #"-Dextra_tests=enabled" # not suitable as in-distro tests; many deps, too.
   ];
-  CFLAGS = [ "-O2" "-DNDEBUG" ];
-
-  enableParallelBuilding = true;
-
-  doCheck = true;
-  doInstallCheck = false; # FIXME
-  preInstallCheck = ''
-    patchShebangs tests/config/runtest.sh
-  '';
 
   postInstall = ''
-    rm "$out"/etc/knot-resolver/root.hints # using system-wide instead
+    rm "$out"/lib/libkres.a
+  '';
+
+  doInstallCheck = stdenv.hostPlatform == stdenv.buildPlatform;
+  installCheckInputs = [ cmocka which cacert ];
+  installCheckPhase = ''
+    meson test --print-errorlogs
   '';
 
   meta = with stdenv.lib; {
@@ -88,13 +90,14 @@ wrapped-full = with luajitPackages; let
     preferLocalBuild = true;
     allowSubstitutes = false;
   }
-  ''
+  (exportLuaPathsFor luaPkgs
+  + ''
     mkdir -p "$out/sbin" "$out/share"
     makeWrapper '${unwrapped}/sbin/kresd' "$out"/sbin/kresd \
-      --set LUA_PATH  '${concatStringsSep ";" (map getLuaPath  luaPkgs)}' \
-      --set LUA_CPATH '${concatStringsSep ";" (map getLuaCPath luaPkgs)}'
+      --set LUA_PATH  "$LUA_PATH" \
+      --set LUA_CPATH "$LUA_CPATH"
     ln -sr '${unwrapped}/share/man' "$out"/share/
     ln -sr "$out"/{sbin,bin}
-  '';
+  '');
 
 in result