From bf0e745597c5fc9547e41905f0f0354d009f154e Mon Sep 17 00:00:00 2001
From: Arnold Krille <arnold@arnoldarts.de>
Date: Sat, 21 May 2016 13:12:48 +0200
Subject: [PATCH] unbound service: do not initialize root cert

When enableRootTrustAnchor is set to false, there is really no point in
initializing the root key before starting unbound.

Fixes #15605.
---
 nixos/modules/services/networking/unbound.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix
index 89762fe5248..0dd24478f40 100644
--- a/nixos/modules/services/networking/unbound.nix
+++ b/nixos/modules/services/networking/unbound.nix
@@ -106,8 +106,10 @@ in
       preStart = ''
         mkdir -m 0755 -p ${stateDir}/dev/
         cp ${confFile} ${stateDir}/unbound.conf
+        ${optionalString cfg.enableRootTrustAnchor ''
         ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile}
         chown unbound ${stateDir} ${rootTrustAnchorFile}
+        ''}
         touch ${stateDir}/dev/random
         ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random
       '';