# Maintainer: Gaetan Bisson <bisson@archlinux.org>
# Contributor: Hisato Tatekura <hisato_tatekura@excentrics.net>
# Contributor: Massimiliano Torromeo <massimiliano DOT torromeo AT google mail service>

# ALARM: Kevin Mihelich <kevin@archlinuxarm.org>
#  - disable LTO (--disable-flto)

pkgname=unbound
pkgver=1.9.4
pkgrel=1
pkgdesc='Validating, recursive, and caching DNS resolver'
url='https://unbound.net/'
license=('custom:BSD')
arch=('x86_64')
makedepends=('expat')
optdepends=('expat: unbound-anchor')
depends=('fstrm' 'openssl' 'libsodium' 'protobuf-c' 'libevent' 'ldns' 'dnssec-anchors')
backup=('etc/unbound/unbound.conf')
validpgpkeys=('EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D')
source=("https://unbound.net/downloads/${pkgname}-${pkgver}.tar.gz"{,.asc}
        'https://github.com/NLnetLabs/unbound/commit/ff8fd0be5c529e7a1b84e8c74426e9c531c0a8f8.patch'
        'https://github.com/NLnetLabs/unbound/commit/ae2d5276d27f16044382ce49eb2e2459e073e619.patch'
        'https://github.com/NLnetLabs/unbound/commit/acdd4058d27ede378d0ab720df8a61d7a50189b1.patch'
        'https://github.com/NLnetLabs/unbound/commit/6943cab6708761c64e8eb55f2d4bbc5660871ff3.patch'
        'sysusers.d'
        'tmpfiles.d'
        'hook')
sha256sums=('3d3e25fb224025f0e732c7970e5676f53fd1764c16d6a01be073a13e42954bb0'
            'SKIP'
            'e44b1e87940f5a6c08c74cfd2c9b8556d211070d6170ea1cd4b5efc650516d33'
            '02616ae85f5f8ce3c3b0af21c67527076e3134ba2f387de343749b817227746d'
            'c52e982da46efedaf8e7c2bed2225a21138a24d2ce89b2de1ceda01e9555b617'
            'b641d402ab3dd4cf5e4ec16fa1aa8b3e735c6df8692cde6685aab928d168ac2c'
            '85b8f00881fb93bcce83bdfe3246463a396eb5b352c0d7f5fca32fcb839d22fa'
            '31a573f43287dd7e3678be1680388bfc7d8dee8280eb2443f521a4b349aaa6b6'
            '2746aede36b1f57efdcc370b7643ce31ff9e6acb9a1f62705987b07eaed866a3')

prepare() {
	cd "${srcdir}/${pkgname}-${pkgver}"
	patch -p1 -i ../ff8fd0be5c529e7a1b84e8c74426e9c531c0a8f8.patch
	patch -p1 -i ../ae2d5276d27f16044382ce49eb2e2459e073e619.patch
	patch -p1 -i ../acdd4058d27ede378d0ab720df8a61d7a50189b1.patch
	patch -p1 -i ../6943cab6708761c64e8eb55f2d4bbc5660871ff3.patch
	sed '/# trust-anchor-file:/c\\ttrust-anchor-file: /etc/unbound/trusted-key.key' -i doc/example.conf.in
}

build() {
	cd "${srcdir}/${pkgname}-${pkgver}"
	./configure \
		--prefix=/usr \
		--sysconfdir=/etc \
		--localstatedir=/var \
		--sbindir=/usr/bin \
		--disable-rpath \
		--enable-dnscrypt \
		--enable-dnstap \
		--enable-pie \
		--enable-relro-now \
		--enable-subnet \
		--enable-systemd \
		--enable-tfo-client \
		--enable-tfo-server \
		--with-conf-file=/etc/unbound/unbound.conf \
		--with-pidfile=/run/unbound.pid \
		--with-rootkey-file=/etc/trusted-key.key \
		--with-libevent \
		--disable-flto

	make
}

package() {
	cd "${srcdir}/${pkgname}-${pkgver}"
	make DESTDIR="${pkgdir}" install
	install -Dm644 contrib/unbound.service "${pkgdir}/usr/lib/systemd/system/unbound.service"
	install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
	install -Dm644 ../sysusers.d "${pkgdir}/usr/lib/sysusers.d/unbound.conf"

	# Trust anchor file available from within unbound's chroot.
	install -Dm644 ../tmpfiles.d "${pkgdir}/usr/lib/tmpfiles.d/unbound.conf"
	install -Dm644 ../hook "${pkgdir}/usr/share/libalpm/hooks/unbound-key.hook"
}