mullvad: init at 2022.1

This package includes the CLI binaries for mullvad, but does not attempt
to build the GUI. This allows it to be (more) cross-platform than the
mullvad-vpn package, which depends on a tool that is unavailable for
e.g. ARM platforms.

3 files changed, 139 insertions, 0 deletions

diff --git a/pkgs/applications/networking/mullvad/default.nix b/pkgs/applications/networking/mullvad/default.nix
new file mode 100644
index 0000000000000..81eedb0d597b7
--- /dev/null
+++ b/pkgs/applications/networking/mullvad/default.nix
@@ -0,0 +1,7 @@
+{ lib
+, newScope
+}:
+lib.makeScope newScope (self: {
+  libwg = self.callPackage ./libwg.nix { };
+  mullvad = self.callPackage ./mullvad.nix { };
+})
diff --git a/pkgs/applications/networking/mullvad/libwg.nix b/pkgs/applications/networking/mullvad/libwg.nix
new file mode 100644
index 0000000000000..d54a2cafe8c0c
--- /dev/null
+++ b/pkgs/applications/networking/mullvad/libwg.nix
@@ -0,0 +1,35 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, mullvad
+}:
+buildGoModule {
+  pname = "libwg";
+
+  inherit (mullvad)
+    version
+    src
+    ;
+
+  sourceRoot = "source/wireguard/libwg";
+
+  vendorSha256 = "qvymWCdJ+GY90W/Fpdp+r1+mTq6O4LyN2Yw/PjKdFm0=";
+
+  # XXX: hack to make the ar archive go to the correct place
+  # This is necessary because passing `-o ...` to `ldflags` does not work
+  # (this doesn't get communicated everywhere in the chain, apparently, so
+  # `go` complains that it can't find an `a.out` file).
+  GOBIN = "${placeholder "out"}/lib";
+  ldflags = [ "-s" "-w" "-buildmode=c-archive" ];
+
+  postInstall = ''
+    mv $out/lib/libwg{,.a}
+  '';
+
+  meta = with lib; {
+    description = "A tiny wrapper around wireguard-go";
+    homepage = "https://github.com/mullvad/mullvadvpn-app/tree/master/wireguard/libwg";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ cole-h ];
+  };
+}
diff --git a/pkgs/applications/networking/mullvad/mullvad.nix b/pkgs/applications/networking/mullvad/mullvad.nix
new file mode 100644
index 0000000000000..526f39866457d
--- /dev/null
+++ b/pkgs/applications/networking/mullvad/mullvad.nix
@@ -0,0 +1,97 @@
+{ lib
+, stdenv
+, writeText
+, rustPlatform
+, fetchFromGitHub
+, pkg-config
+, protobuf
+, makeWrapper
+, dbus
+, libnftnl
+, libmnl
+, libwg
+}:
+let
+  # result of running address_cache as of 02 Mar 2022
+  bootstrap-address-cache = writeText "api-ip-address.txt" ''
+    193.138.218.78:443
+    193.138.218.71:444
+    185.65.134.66:444
+    185.65.135.117:444
+    217.138.254.130:444
+    91.90.44.10:444
+  '';
+in
+rustPlatform.buildRustPackage rec {
+  pname = "mullvad";
+  version = "2022.1";
+
+  src = fetchFromGitHub {
+    owner = "mullvad";
+    repo = "mullvadvpn-app";
+    rev = version;
+    hash = "sha256-bLwuM3Qy2iStbXIvDEWp31vuiihSQThOej297XKo5Xc=";
+  };
+
+  cargoHash = "sha256-CBbm8cJHTjyvvzCFQfKmsE5d9N7azEm8nI6KeWLVaa8=";
+
+  nativeBuildInputs = [
+    pkg-config
+    protobuf
+    makeWrapper
+  ];
+
+  buildInputs = [
+    dbus.dev
+    libnftnl
+    libmnl
+  ];
+
+  # talpid-core wants libwg.a in build/lib/{triple}
+  preBuild = ''
+    dest=build/lib/${stdenv.targetPlatform.config}
+    mkdir -p $dest
+    ln -s ${libwg}/lib/libwg.a $dest
+  '';
+
+  postFixup =
+    # Place all binaries in the 'mullvad-' namespace, even though these
+    # specific binaries aren't used in the lifetime of the program.
+    # `address_cache` is used to generate the `api-ip-address.txt` file, which
+    # contains list of Mullvad API servers -- though we provide a "backup" of
+    # the output of this command, it could change at any time, so we want
+    # users to be able to regenerate the list at any time. (The daemon will
+    # refuse to start without this file.)
+    ''
+      for bin in address_cache relay_list translations-converter; do
+        mv "$out/bin/$bin" "$out/bin/mullvad-$bin"
+      done
+    '' +
+    # Put distributed assets in-place -- specifically, the
+    # bootstrap-address-cache is necessary; otherwise, the user will have to run
+    # the `address_cache` binary and move the contents into place at
+    # `/var/cache/mullvad-vpn/api-ip-address.txt` manually. `ca.crt` is
+    # necessary for OpenVPN tunnels to work.
+    # XXX: Use of OpenVPN requires their fork of OpenVPN, which can be found at
+    # https://github.com/mullvad/openvpn/tree/mullvad-patches/
+    ''
+      mkdir -p $out/share
+      ln -s ${bootstrap-address-cache} $out/share/api-ip-address.txt
+      cp dist-assets/ca.crt $out/share
+    '' +
+    # Set the directory where Mullvad will look for its resources by default to
+    # `$out/share`, so that we can avoid putting the files in `$out/bin` --
+    # Mullvad defaults to looking inside the directory its binary is located in
+    # for its resources.
+    ''
+      wrapProgram $out/bin/mullvad-daemon \
+        --set-default MULLVAD_RESOURCE_DIR "$out/share/mullvad"
+    '';
+
+  meta = with lib; {
+    description = "Mullvad VPN command-line client tools";
+    homepage = "https://github.com/mullvad/mullvadvpn-app";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ cole-h ];
+  };
+}