mullvad: init at 2022.1

pkgs/applications/networking/mullvad/default.nix

@@ -0,0 +1,8 @@
+{ lib
+, newScope
+}:
+lib.makeScope newScope (self: {
+  libwg = self.callPackage ./libwg.nix { };
+  mullvad = self.callPackage ./mullvad.nix { };
+  openvpn-mullvad = self.callPackage ./openvpn.nix { };
+})

pkgs/applications/networking/mullvad/libwg.nix

@@ -0,0 +1,35 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, mullvad
+}:
+buildGoModule {
+  pname = "libwg";
+
+  inherit (mullvad)
+    version
+    src
+    ;
+
+  sourceRoot = "source/wireguard/libwg";
+
+  vendorSha256 = "qvymWCdJ+GY90W/Fpdp+r1+mTq6O4LyN2Yw/PjKdFm0=";
+
+  # XXX: hack to make the ar archive go to the correct place
+  # This is necessary because passing `-o ...` to `ldflags` does not work
+  # (this doesn't get communicated everywhere in the chain, apparently, so
+  # `go` complains that it can't find an `a.out` file).
+  GOBIN = "${placeholder "out"}/lib";
+  ldflags = [ "-s" "-w" "-buildmode=c-archive" ];
+
+  postInstall = ''
+    mv $out/lib/libwg{,.a}
+  '';
+
+  meta = with lib; {
+    description = "A tiny wrapper around wireguard-go";
+    homepage = "https://github.com/mullvad/mullvadvpn-app/tree/master/wireguard/libwg";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ cole-h ];
+  };
+}

pkgs/applications/networking/mullvad/mullvad.nix

@@ -0,0 +1,107 @@
+{ lib
+, stdenv
+, writeText
+, rustPlatform
+, fetchFromGitHub
+, pkg-config
+, protobuf
+, makeWrapper
+, dbus
+, libnftnl
+, libmnl
+, libwg
+, openvpn-mullvad
+, shadowsocks-rust
+}:
+let
+  # result of running address_cache as of 02 Mar 2022
+  bootstrap-address-cache = writeText "api-ip-address.txt" ''
+    193.138.218.78:443
+    193.138.218.71:444
+    185.65.134.66:444
+    185.65.135.117:444
+    217.138.254.130:444
+    91.90.44.10:444
+  '';
+in
+rustPlatform.buildRustPackage rec {
+  pname = "mullvad";
+  version = "2022.1";
+
+  src = fetchFromGitHub {
+    owner = "mullvad";
+    repo = "mullvadvpn-app";
+    rev = version;
+    hash = "sha256-bLwuM3Qy2iStbXIvDEWp31vuiihSQThOej297XKo5Xc=";
+  };
+
+  cargoHash = "sha256-CBbm8cJHTjyvvzCFQfKmsE5d9N7azEm8nI6KeWLVaa8=";
+
+  nativeBuildInputs = [
+    pkg-config
+    protobuf
+    makeWrapper
+  ];
+
+  buildInputs = [
+    dbus.dev
+    libnftnl
+    libmnl
+  ];
+
+  # talpid-core wants libwg.a in build/lib/{triple}
+  preBuild = ''
+    dest=build/lib/${stdenv.targetPlatform.config}
+    mkdir -p $dest
+    ln -s ${libwg}/lib/libwg.a $dest
+  '';
+
+  postFixup =
+    # Place all binaries in the 'mullvad-' namespace, even though these
+    # specific binaries aren't used in the lifetime of the program.
+    # `address_cache` is used to generate the `api-ip-address.txt` file, which
+    # contains list of Mullvad API servers -- though we provide a "backup" of
+    # the output of this command, it could change at any time, so we want
+    # users to be able to regenerate the list at any time. (The daemon will
+    # refuse to start without this file.)
+    ''
+      for bin in address_cache relay_list translations-converter; do
+        mv "$out/bin/$bin" "$out/bin/mullvad-$bin"
+      done
+    '' +
+    # Put distributed assets in-place -- specifically, the
+    # bootstrap-address-cache is necessary; otherwise, the user will have to run
+    # the `address_cache` binary and move the contents into place at
+    # `/var/cache/mullvad-vpn/api-ip-address.txt` manually.
+    ''
+      mkdir -p $out/share/mullvad
+      ln -s ${bootstrap-address-cache} $out/share/mullvad/api-ip-address.txt
+    '' +
+    # Files necessary for OpenVPN tunnels to work.
+    ''
+      cp dist-assets/ca.crt $out/share/mullvad
+      ln -s ${openvpn-mullvad}/bin/openvpn $out/share/mullvad
+      ln -s ${shadowsocks-rust}/bin/sslocal $out/share/mullvad
+      ln -s $out/lib/libtalpid_openvpn_plugin.so $out/share/mullvad
+    '' +
+    # Set the directory where Mullvad will look for its resources by default to
+    # `$out/share`, so that we can avoid putting the files in `$out/bin` --
+    # Mullvad defaults to looking inside the directory its binary is located in
+    # for its resources.
+    ''
+      wrapProgram $out/bin/mullvad-daemon \
+        --set-default MULLVAD_RESOURCE_DIR "$out/share/mullvad"
+    '';
+
+  passthru = {
+    inherit libwg;
+    inherit openvpn-mullvad;
+  };
+
+  meta = with lib; {
+    description = "Mullvad VPN command-line client tools";
+    homepage = "https://github.com/mullvad/mullvadvpn-app";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ cole-h ];
+  };
+}

pkgs/applications/networking/mullvad/openvpn.nix

@@ -0,0 +1,87 @@
+{ lib
+, openvpn
+, fetchpatch
+, fetchurl
+, iproute2
+, autoconf
+, automake
+}:
+
+openvpn.overrideAttrs (oldAttrs:
+  let
+    fetchMullvadPatch = { commit, sha256 }: fetchpatch {
+      url = "https://github.com/mullvad/openvpn/commit/${commit}.patch";
+      inherit sha256;
+    };
+  in
+  rec {
+    pname = "openvpn-mullvad";
+    version = "2.5.3";
+
+    src = fetchurl {
+      url = "https://swupdate.openvpn.net/community/releases/openvpn-${version}.tar.gz";
+      sha256 = "sha256-dfAETfRJQwVVynuZWit3qyTylG/cNmgwG47cI5hqX34=";
+    };
+
+    buildInputs = oldAttrs.buildInputs or [ ] ++ [
+      iproute2
+    ];
+
+    configureFlags = oldAttrs.configureFlags  or [ ] ++ [
+      "--enable-iproute2"
+      "IPROUTE=${iproute2}/sbin/ip"
+    ];
+
+    nativeBuildInputs = oldAttrs.nativeBuildInputs or [ ] ++ [
+      autoconf
+      automake
+    ];
+
+    patches = oldAttrs.patches or [ ] ++ [
+      # look at compare to find the relevant commits
+      # https://github.com/OpenVPN/openvpn/compare/release/2.5...mullvad:mullvad-patches
+      # used openvpn version is the latest tag ending with -mullvad
+      # https://github.com/mullvad/openvpn/tags
+      (fetchMullvadPatch {
+        # "Reduce PUSH_REQUEST_INTERVAL to one second"
+        commit = "41e44158fc71bb6cc8cc6edb6ada3307765a12e8";
+        sha256 = "sha256-UoH0V6gTPdEuybFkWxdaB4zomt7rZeEUyXs9hVPbLb4=";
+      })
+      (fetchMullvadPatch {
+        # "Allow auth plugins to set a failure reason"
+        commit = "f51781c601e8c72ae107deaf25bf66f7c193e9cd";
+        sha256 = "sha256-+kwG0YElL16T0e+avHlI8gNQdAxneRS6fylv7QXvC1s=";
+      })
+      (fetchMullvadPatch {
+        # "Send an event to any plugins when authentication fails"
+        commit = "c2f810f966f2ffd68564d940b5b8946ea6007d5a";
+        sha256 = "sha256-PsKIxYwpLD66YaIpntXJM8OGcObyWBSAJsQ60ojvj30=";
+      })
+      (fetchMullvadPatch {
+        # "Shutdown when STDIN is closed"
+        commit = "879d6a3c0288b5443bbe1b94261655c329fc2e0e";
+        sha256 = "sha256-pRFY4r+b91/xAKXx6u5GLzouQySXuO5gH0kMGm77a3c=";
+      })
+      (fetchMullvadPatch {
+        # "Update TAP hardware ID"
+        commit = "7f71b37a3b25bec0b33a0e29780c222aef869e9d";
+        sha256 = "sha256-RF/GvD/ZvhLdt34wDdUT/yxa+IVWx0eY6WRdNWXxXeQ=";
+      })
+      (fetchMullvadPatch {
+        # "Undo dependency on Python docutils"
+        commit = "abd3c6214529d9f4143cc92dd874d8743abea17c";
+        sha256 = "sha256-SC2RlpWHUDMAEKap1t60dC4hmalk3vok6xY+/xhC2U0=";
+      })
+      (fetchMullvadPatch {
+        # "Prevent signal when stdin is closed from being cleared (#10)"
+        commit = "b45b090c81e7b4f2dc938642af7a1e12f699f5c5";
+        sha256 = "sha256-KPTFmbuJhMI+AvaRuu30CPPLQAXiE/VApxlUCqbZFls=";
+      })
+    ];
+
+    meta = oldAttrs.meta or { } // {
+      description = "OpenVPN with Mullvad-specific patches applied";
+      homepage = "https://github.com/mullvad/openvpn";
+      maintainers = with lib; [ maintainers.cole-h ];
+    };
+  })

pkgs/top-level/all-packages.nix

@@ -21636,6 +21636,9 @@ with pkgs;
 
   morty = callPackage ../servers/web-apps/morty { };
 
+  inherit (callPackage ../applications/networking/mullvad { })
+    mullvad;
+
   mullvad-vpn = callPackage ../applications/networking/mullvad-vpn { };
 
   mycorrhiza = callPackage ../servers/mycorrhiza {