knot-resolver: drop capabilities after startup

By default.  I forgot to add this a long time ago.
The difference in runtime closure is really tiny (232 KiB by du).

pkgs/servers/dns/knot-resolver/default.nix

@@ -3,7 +3,7 @@
 , runCommand, pkgconfig, meson, ninja, makeWrapper
 # build+runtime deps.
 , knot-dns, luajitPackages, libuv, gnutls, lmdb, systemd, dns-root-data
-, nghttp2
+, nghttp2, libcap_ng # optionals, in principle
 # test-only deps.
 , cmocka, which, cacert
 , extraFeatures ? false /* catch-all if defaults aren't enough */
@@ -55,7 +55,7 @@ unwrapped = stdenv.mkDerivation rec {
   # http://knot-resolver.readthedocs.io/en/latest/build.html#requirements
   buildInputs = [ knot-dns lua.lua libuv gnutls lmdb ]
     ++ optional stdenv.isLinux systemd # passing sockets, sd_notify
-    ++ [ nghttp2 ]
+    ++ [ nghttp2 libcap_ng ]
     ## optional dependencies; TODO: libedit, dnstap
     ;