1 files changed, 14 insertions, 5 deletions

diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix
index 6cbd505103b..c263da6efe6 100644
--- a/pkgs/tools/networking/unbound/default.nix
+++ b/pkgs/tools/networking/unbound/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, openssl, expat, libevent }:
+{ stdenv, fetchurl, openssl, nettle, expat, libevent }:
 
 stdenv.mkDerivation rec {
   name = "unbound-${version}";
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
 
-  buildInputs = [ openssl expat libevent ];
+  buildInputs = [ openssl nettle expat libevent ];
 
   configureFlags = [
     "--with-ssl=${openssl.dev}"
@@ -26,11 +26,20 @@ stdenv.mkDerivation rec {
 
   installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ];
 
-  # get rid of runtime dependencies on $dev outputs
-  postInstall = ''substituteInPlace "$lib/lib/libunbound.la" ''
+  preFixup =
+    # Build libunbound again, but only against nettle instead of openssl.
+    # This avoids gnutls.out -> unbound.lib -> openssl.out.
+    ''
+      configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only"
+      configurePhase
+      buildPhase
+      installPhase
+    ''
+    # get rid of runtime dependencies on $dev outputs
+  + ''substituteInPlace "$lib/lib/libunbound.la" ''
     + stdenv.lib.concatMapStrings
       (pkg: " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' ")
-      [ openssl expat libevent ];
+      buildInputs;
 
   meta = with stdenv.lib; {
     description = "Validating, recursive, and caching DNS resolver";