depot/third_party/nixpkgs/pkgs/tools/networking/miniupnpd/default.nix

{
  stdenv,
  lib,
  fetchurl,
  iptables-legacy,
  libuuid,
  openssl,
  pkg-config,
  which,
  iproute2,
  gnused,
  coreutils,
  gnugrep,
  gawk,
  makeWrapper,
  nixosTests,
  firewall ? "iptables",
  nftables,
  libmnl,
  libnftnl,
}:

let
  scriptBinEnv =
    lib.makeBinPath
      {
        iptables = [
          # needed for dirname in ip{,6}tables_*.sh
          coreutils
          # used in miniupnpd_functions.sh:
          which
          iproute2
          iptables-legacy
          gnused
          gnugrep
          gawk
        ];
        nftables = [
          # needed for dirname in nft_*.sh & cat in nft_init.sh
          coreutils
          # used in miniupnpd_functions.sh:
          which
          nftables
        ];
      }
      .${firewall};
in
stdenv.mkDerivation rec {
  pname = "miniupnpd";
  version = "2.3.7";

  src = fetchurl {
    url = "https://miniupnp.tuxfamily.org/files/miniupnpd-${version}.tar.gz";
    sha256 = "sha256-+91VAQOXMPBKhCDqL49Ut99j+fBM3i3Gf6c3HoBHe74=";
  };

  buildInputs =
    [
      iptables-legacy
      libuuid
      openssl
    ]
    ++ lib.optionals (firewall == "nftables") [
      libmnl
      libnftnl
    ];
  nativeBuildInputs = [
    pkg-config
    makeWrapper
  ];

  # ./configure is not a standard configure file, errors with:
  # Option not recognized : --prefix=
  dontAddPrefix = true;
  configureFlags = [
    "--firewall=${firewall}"
    # allow using various config options
    "--ipv6"
    "--leasefile"
    "--regex"
    "--vendorcfg"
    # hardening
    "--portinuse"
  ];

  installFlags = [
    "PREFIX=$(out)"
    "INSTALLPREFIX=$(out)"
  ];

  postFixup =
    {
      # Ideally we'd prefer using system's config.firewall.package here for iptables,
      # however for some reason switching --prefix to --suffix breaks the script
      iptables = ''
        for script in $out/etc/miniupnpd/ip{,6}tables_{init,removeall}.sh
        do
          wrapProgram $script --prefix PATH : '${scriptBinEnv}:$PATH'
        done
      '';
      nftables = ''
        for script in $out/etc/miniupnpd/nft_{delete_chain,flush,init,removeall}.sh
        do
          wrapProgram $script --suffix PATH : '${scriptBinEnv}:$PATH'
        done
      '';
    }
    .${firewall};

  passthru.tests = {
    bittorrent-integration = nixosTests.bittorrent;
    inherit (nixosTests) upnp;
  };

  meta = with lib; {
    homepage = "https://miniupnp.tuxfamily.org/";
    description = "Daemon that implements the UPnP Internet Gateway Device (IGD) specification";
    platforms = platforms.linux;
    license = licenses.bsd3;
    mainProgram = "miniupnpd";
  };
}