lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions
depot/third_party/nixpkgs/pkgs/by-name/mu/mullvad-browser/package.nix

320 lines
8 KiB
Nix
Raw Blame History

{
lib,
stdenv,
fetchurl,
makeDesktopItem,
copyDesktopItems,
makeWrapper,
writeText,
wrapGAppsHook3,
autoPatchelfHook,
patchelfUnstable, # have to use patchelfUnstable to support --no-clobber-old-sections
callPackage,
atk,
cairo,
dbus,
dbus-glib,
fontconfig,
freetype,
gdk-pixbuf,
glib,
gtk3,
libxcb,
libX11,
libXext,
libXrender,
libXt,
libXtst,
mesa,
pango,
pciutils,
zlib,
libnotifySupport ? stdenv.hostPlatform.isLinux,
libnotify,
waylandSupport ? stdenv.hostPlatform.isLinux,
libxkbcommon,
libdrm,
libGL,
mediaSupport ? true,
ffmpeg,
audioSupport ? mediaSupport,
pipewireSupport ? audioSupport,
pipewire,
pulseaudioSupport ? audioSupport,
libpulseaudio,
apulse,
alsa-lib,
libvaSupport ? mediaSupport,
libva,
# Extra preferences
extraPrefs ? "",
}:
let
libPath = lib.makeLibraryPath (
[
alsa-lib
atk
cairo
dbus
dbus-glib
fontconfig
freetype
gdk-pixbuf
glib
gtk3
libxcb
libX11
libXext
libXrender
libXt
libXtst
mesa # for libgbm
pango
pciutils
stdenv.cc.cc
stdenv.cc.libc
zlib
]
++ lib.optionals libnotifySupport [ libnotify ]
++ lib.optionals waylandSupport [
libxkbcommon
libdrm
libGL
]
++ lib.optionals pipewireSupport [ pipewire ]
++ lib.optionals pulseaudioSupport [ libpulseaudio ]
++ lib.optionals libvaSupport [ libva ]
++ lib.optionals mediaSupport [ ffmpeg ]
);
version = "14.0.3";
sources = {
x86_64-linux = fetchurl {
urls = [
"https://cdn.mullvad.net/browser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
"https://github.com/mullvad/mullvad-browser/releases/download/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
"https://archive.torproject.org/tor-package-archive/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
"https://dist.torproject.org/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
"https://tor.eff.org/dist/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
"https://tor.calyxinstitute.org/dist/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
];
hash = "sha256-Kv69Q6o/Ww64yA8y5J3JXIV48A2B08YhNE9ib/UuA0o=";
};
};
distributionIni = writeText "distribution.ini" (
lib.generators.toINI { } {
# Some light branding indicating this build uses our distro preferences
Global = {
id = "nixos";
version = "1.0";
about = "Mullvad Browser for NixOS";
};
}
);
policiesJson = writeText "policies.json" (
builtins.toJSON {
policies.DisableAppUpdate = true;
}
);
in
stdenv.mkDerivation rec {
pname = "mullvad-browser";
inherit version;
src =
sources.${stdenv.hostPlatform.system}
or (throw "unsupported system: ${stdenv.hostPlatform.system}");
nativeBuildInputs = [
autoPatchelfHook
patchelfUnstable
copyDesktopItems
makeWrapper
wrapGAppsHook3
];
buildInputs = [
gtk3
alsa-lib
dbus-glib
libXtst
];
# Firefox uses "relrhack" to manually process relocations from a fixed offset
patchelfFlags = [ "--no-clobber-old-sections" ];
preferLocalBuild = true;
allowSubstitutes = false;
desktopItems = [
(makeDesktopItem {
name = "mullvad-browser";
exec = "mullvad-browser %U";
icon = "mullvad-browser";
desktopName = "Mullvad Browser";
genericName = "Web Browser";
comment = meta.description;
categories = [
"Network"
"WebBrowser"
"Security"
];
mimeTypes = [
"text/html"
"text/xml"
"application/xhtml+xml"
"application/vnd.mozilla.xul+xml"
"x-scheme-handler/http"
"x-scheme-handler/https"
];
})
];
buildPhase = ''
runHook preBuild
# For convenience ...
MB_IN_STORE=$out/share/mullvad-browser
# Unpack & enter
mkdir -p "$MB_IN_STORE"
tar xf "$src" -C "$MB_IN_STORE" --strip-components=2
pushd "$MB_IN_STORE"
# Set ELF interpreter
autoPatchelf mullvadbrowser.real
# mullvadbrowser is a wrapper that checks for a more recent libstdc++ & appends it to the ld path
mv mullvadbrowser.real mullvadbrowser
# store state at `~/.mullvad` instead of relative to executable
touch "$MB_IN_STORE/system-install"
# Add bundled libraries to libPath.
libPath=${libPath}:$MB_IN_STORE
# apulse uses a non-standard library path. For now special-case it.
${lib.optionalString (audioSupport && !pulseaudioSupport) ''
libPath=${apulse}/lib/apulse:$libPath
''}
# Prepare for autoconfig.
#
# See https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment
cat >defaults/pref/autoconfig.js <<EOF
//
pref("general.config.filename", "mozilla.cfg");
pref("general.config.obscure_value", 0);
EOF
# Hard-coded Firefox preferences.
cat >mozilla.cfg <<EOF
// First line must be a comment
// Reset pref that captures store paths.
clearPref("extensions.xpiState");
// Stop obnoxious first-run redirection.
lockPref("noscript.firstRunRedirection", false);
// Allow sandbox access to sound devices if using ALSA directly
${
if (audioSupport && !pulseaudioSupport) then
''
pref("security.sandbox.content.write_path_whitelist", "/dev/snd/");
''
else
''
clearPref("security.sandbox.content.write_path_whitelist");
''
}
${lib.optionalString (extraPrefs != "") ''
${extraPrefs}
''}
EOF
# FONTCONFIG_FILE is required to make fontconfig read the MB
# fonts.conf; upstream uses FONTCONFIG_PATH, but FC_DEBUG=1024
# indicates the system fonts.conf being used instead.
FONTCONFIG_FILE=$MB_IN_STORE/fontconfig/fonts.conf
substituteInPlace "$FONTCONFIG_FILE" \
--replace-fail '<dir prefix="cwd">fonts</dir>' "<dir>$MB_IN_STORE/fonts</dir>"
mkdir -p $out/bin
makeWrapper "$MB_IN_STORE/mullvadbrowser" "$out/bin/mullvad-browser" \
--prefix LD_LIBRARY_PATH : "$libPath" \
--set FONTCONFIG_FILE "$FONTCONFIG_FILE" \
--set-default MOZ_ENABLE_WAYLAND 1
# Easier access to docs
mkdir -p $out/share/doc
ln -s $MB_IN_STORE/Data/Docs $out/share/doc/mullvad-browser
# Install icons
for i in 16 32 48 64 128; do
mkdir -p $out/share/icons/hicolor/''${i}x''${i}/apps/
ln -s $out/share/mullvad-browser/browser/chrome/icons/default/default$i.png $out/share/icons/hicolor/''${i}x''${i}/apps/mullvad-browser.png
done
# Check installed apps
echo "Checking mullvad-browser wrapper ..."
$out/bin/mullvad-browser --version >/dev/null
runHook postBuild
'';
installPhase = ''
runHook preInstall
# Install distribution customizations
install -Dvm644 ${distributionIni} $out/share/mullvad-browser/distribution/distribution.ini
install -Dvm644 ${policiesJson} $out/share/mullvad-browser/distribution/policies.json
runHook postInstall
'';
passthru = {
inherit sources;
updateScript = callPackage ./update.nix {
inherit pname version meta;
baseUrl = "https://cdn.mullvad.net/browser/";
name = "mullvad-browser";
};
};
meta = with lib; {
description = "Privacy-focused browser made in a collaboration between The Tor Project and Mullvad";
mainProgram = "mullvad-browser";
homepage = "https://mullvad.net/en/browser";
platforms = attrNames sources;
maintainers = with maintainers; [
felschr
panicgh
sigmasquadron
];
# MPL2.0+, GPL+, &c. While it's not entirely clear whether
# the compound is "libre" in a strict sense (some components place certain
# restrictions on redistribution), it's free enough for our purposes.
license = with licenses; [
mpl20
lgpl21Plus
lgpl3Plus
free
];
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
};
}
Reference in a new issue View git blame Copy permalink