coredns: add support for plugins

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -306,6 +306,24 @@ The module update takes care of the new config syntax and the data itself (user
   - `keepTerminfo` controls whether `TERMINFO` and `TERMINFO_DIRS` are preserved
     for `root` and the `wheel` group.
 
+- CoreDNS can now be built with external plugins by overriding `externalPlugins` and `vendorHash` arguments like this:
+
+  ```
+  services.coredns = {
+    enable = true;
+    package = pkgs.coredns.override {
+      externalPlugins = [
+        {name = "fanout"; repo = "github.com/networkservicemesh/fanout"; version = "v1.9.1";}
+      ];
+      vendorHash = "<SRI hash>";
+    };
+  };
+  ```
+
+  To get the necessary SRI hash, set `vendorHash = "";`. The build will fail and produce the correct `vendorHash` in the error message.
+
+  If you use this feature, updates to CoreDNS may require updating `vendorHash` by following these steps again.
+
 
 ## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals}
 

pkgs/servers/dns/coredns/default.nix

@@ -3,9 +3,16 @@
 , buildGoModule
 , fetchFromGitHub
 , installShellFiles
+, externalPlugins ? []
+, vendorHash ? "sha256-TvIswNQ7DL/MtYmMSxXf+VqKHcmzZVZwohOCvRWxBkY="
 }:
 
-buildGoModule rec {
+let
+  attrsToPlugins = attrs:
+    builtins.map ({name, repo, version}: "${name}:${repo}") attrs;
+  attrsToSources = attrs:
+    builtins.map ({name, repo, version}: "${repo}@${version}") attrs;
+in buildGoModule rec {
   pname = "coredns";
   version = "1.11.0";
 
@@ -16,19 +23,44 @@ buildGoModule rec {
     sha256 = "sha256-Mn8hOsODTlnl6PJaevMcyIKkIx/1Lk2HGA7fSSizR20=";
   };
 
-  vendorHash = "sha256-9LFwrG6RxZaCLxrNabdnq++U5Aw+d2w90Zqt/wszNTY=";
+  inherit vendorHash;
 
   nativeBuildInputs = [ installShellFiles ];
 
   outputs = [ "out" "man" ];
 
+  # Override the go-modules fetcher derivation to fetch plugins
+  modBuildPhase = ''
+    for plugin in ${builtins.toString (attrsToPlugins externalPlugins)}; do echo $plugin >> plugin.cfg; done
+    for src in ${builtins.toString (attrsToSources externalPlugins)}; do go get $src; done
+    go generate
+    go mod vendor
+  '';
+
+  modInstallPhase = ''
+    mv -t vendor go.mod go.sum plugin.cfg
+    cp -r --reflink=auto vendor "$out"
+  '';
+
+  preBuild = ''
+    chmod -R u+w vendor
+    mv -t . vendor/go.{mod,sum} vendor/plugin.cfg
+
+    go generate
+  '';
+
   postPatch = ''
     substituteInPlace test/file_cname_proxy_test.go \
       --replace "TestZoneExternalCNAMELookupWithProxy" \
                 "SkipZoneExternalCNAMELookupWithProxy"
 
     substituteInPlace test/readme_test.go \
       --replace "TestReadme" "SkipReadme"
+
+    # this test fails if any external plugins were imported.
+    # it's a lint rather than a test of functionality, so it's safe to disable.
+    substituteInPlace test/presubmit_test.go \
+      --replace "TestImportOrdering" "SkipImportOrdering"
   '' + lib.optionalString stdenv.isDarwin ''
     # loopback interface is lo0 on macos
     sed -E -i 's/\blo\b/lo0/' plugin/bind/setup_test.go