From 89e9c49bf451066bfd82ff39b604d25dec990e52 Mon Sep 17 00:00:00 2001
From: Dmitry Bogatov <KAction@disroot.org>
Date: Sat, 17 Oct 2020 00:00:00 -0400
Subject: [PATCH 1/2] keyutils: fix static build

---
 pkgs/os-specific/linux/keyutils/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/keyutils/default.nix b/pkgs/os-specific/linux/keyutils/default.nix
index fb06f942e482..fe9cb46fb8a9 100644
--- a/pkgs/os-specific/linux/keyutils/default.nix
+++ b/pkgs/os-specific/linux/keyutils/default.nix
@@ -23,6 +23,8 @@ stdenv.mkDerivation rec {
     ./conf-symlink.patch
   ];
 
+  makeFlags = stdenv.lib.optionals stdenv.hostPlatform.isStatic "NO_SOLIB=1";
+
   BUILDDATE = "1970-01-01";
   outputs = [ "out" "lib" "dev" ];
 

From 4879ea90342ea3afa4f301b3fab44a8ec3e7c3e7 Mon Sep 17 00:00:00 2001
From: Dmitry Bogatov <KAction@disroot.org>
Date: Sun, 18 Oct 2020 00:00:00 -0400
Subject: [PATCH 2/2] openssh: fix static build

---
 pkgs/tools/networking/openssh/default.nix | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 64e6757891e3..f199cc364257 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -63,7 +63,9 @@ stdenv.mkDerivation rec {
       substituteInPlace Makefile.in --replace '$(INSTALL) -m 4711' '$(INSTALL) -m 0711'
     '';
 
-  nativeBuildInputs = [ pkgconfig ] ++ optional (hpnSupport || withGssapiPatches) autoreconfHook;
+  nativeBuildInputs = [ pkgconfig ]
+    ++ optional (hpnSupport || withGssapiPatches) autoreconfHook
+    ++ optional withKerberos kerberos.dev;
   buildInputs = [ zlib openssl libedit pam ]
     ++ optional withFIDO libfido2
     ++ optional withKerberos kerberos;
@@ -72,6 +74,22 @@ stdenv.mkDerivation rec {
     # Setting LD causes `configure' and `make' to disagree about which linker
     # to use: `configure' wants `gcc', but `make' wants `ld'.
     unset LD
+  ''
+  # Upstream build system does not support static build, so we fall back
+  # on fragile patching of configure script.
+  #
+  # libedit is found by pkgconfig, but without --static flag, required
+  # to get also transitive dependencies for static linkage, hence sed
+  # expression.
+  #
+  # Kerberos can be found either by krb5-config or by fall-back shell
+  # code in openssh's configure.ac. Neither of them support static
+  # build, but patching code for krb5-config is simpler, so to get it
+  # into PATH, kerberos.dev is added into buildInputs.
+  + optionalString stdenv.hostPlatform.isStatic ''
+    sed -i "s,PKGCONFIG --libs,PKGCONFIG --libs --static,g" configure
+    sed -i 's#KRB5CONF --libs`#KRB5CONF --libs` -lkrb5support -lkeyutils#g' configure
+    sed -i 's#KRB5CONF --libs gssapi`#KRB5CONF --libs gssapi` -lkrb5support -lkeyutils#g' configure
   '';
 
   # I set --disable-strip because later we strip anyway. And it fails to strip