Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
`preConfigure` line became too long to edit comfortably. Split up
flags into ones necessary during both build and install phase and
install phase only. Makefile defines a target for OS X/Darwin which
automatically sets the `KQUEUE` flag.
The configure scripts have been changed so that `--build` is now the
way to specify (non-cross compiling) build target, which is necessary
on darwin for binary compatibility across darwin versions.
execline: 2.1.4.5 -> 2.2.0.0
s6-dns: 2.0.0.7 -> 2.1.0.0
s6-linux-utils: 2.0.2.3 -> 2.2.0.0
s6-networking: 2.1.0.4 -> 2.2.1.0
s6-portable-utils: 2.1.0.0 -> 2.1.0.0 (no version change)
s6-rc: 0.0.2.1 -> 0.1.0.0
s6: 2.2.4.3 -> 2.4.0.0
skalibs: 2.3.9.0 -> 2.4.0.1
Also use new --enable-absolute-paths configure arg to correctly set
paths to runtime executables to point within the nix store rather than
relying on PATH resolution.
Having curl fall back to openssl's CA means that we need not patch curl
to respect NIX_SSL_CERT_FILE. It will work in all the cases.
This reverts commit fb4c43dd8a "curl: Use CA bundle in nix default profile by default"
If we want to reintroduce that feature, this needs to go inside openssl
Improve patching of curl to use NIX_SSL_CERT_FILE as default CA
Remove patches from git, as git uses curl and passes its environment
variables to curl.
Adding ldns builds additional plugins for rewriting DNS queries,
such as blocking and forwarding.
For example, to use a custom domain blocklist, you can do
```nix
let
myBlockListFile = writeText "blocked-domains" ''
*.example.com
'';
in
{
services.dnscrypt-proxy.extraArgs = [
"-X libdcplugin_example_ldns_blocking.so,--domains=${myBlockListFile}"
];
}
```
