Merge commit '683c68232e91f76386db979c461d8fbe2a018782'

2 files changed, 91 insertions, 0 deletions

diff --git a/nixpkgs/pkgs/applications/networking/nym/default.nix b/nixpkgs/pkgs/applications/networking/nym/default.nix
new file mode 100644
index 000000000000..6bb86c016ba3
--- /dev/null
+++ b/nixpkgs/pkgs/applications/networking/nym/default.nix
@@ -0,0 +1,54 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+, pkgconfig
+, openssl
+, libredirect
+, writeText
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "nym";
+  version = "0.6.0";
+
+  src = fetchFromGitHub {
+    owner = "nymtech";
+    repo = "nym";
+    rev = "v${version}";
+    sha256 = "1q9i24mzys6a9kp9n0bnxr3iwzblabmc6iif3ah75gffyf0cipk4";
+  };
+
+  cargoSha256 = "0qas544bs4wyllvqf2r5mvqxs1nviwcvxa3rzq10dvjyjm1xyh3k";
+
+  nativeBuildInputs = [ pkgconfig ];
+
+  buildInputs = [ openssl ];
+
+  /*
+  Nym's test presence::converting_mixnode_presence_into_topology_mixnode::it_returns_resolved_ip_on_resolvable_hostname tries to resolve nymtech.net.
+  Since there is no external DNS resolution available in the build sandbox, we point cargo and its children (that's what we remove the 'unsetenv' call for) to a hosts file in which we statically resolve nymtech.net.
+  */
+  preCheck = ''
+    export LD_PRELOAD=${libredirect.overrideAttrs (drv: {
+      postPatch = "sed -i -e /unsetenv/d libredirect.c";
+    })}/lib/libredirect.so
+    export NIX_REDIRECTS=/etc/hosts=${writeText "nym_resolve_test_hosts" "127.0.0.1 nymtech.net"}
+  '';
+
+  postCheck = "unset NIX_REDIRECTS LD_PRELOAD";
+
+
+  passthru.updateScript = ./update.sh;
+
+  meta = with lib; {
+    description = "A mixnet providing IP-level privacy";
+    longDescription = ''
+      Nym routes IP packets through other participating nodes to hide their source and destination.
+      In contrast with Tor, it prevents timing attacks at the cost of latency.
+    '';
+    homepage = "https://nymtech.net";
+    license = licenses.asl20;
+    maintainers = [ maintainers.ehmry ];
+    platforms = with platforms; intersectLists (linux ++ darwin) (x86 ++ x86_64); # see https://github.com/nymtech/nym/issues/179 for architectures
+  };
+}
diff --git a/nixpkgs/pkgs/applications/networking/nym/update.sh b/nixpkgs/pkgs/applications/networking/nym/update.sh
new file mode 100755
index 000000000000..0c65521c7f80
--- /dev/null
+++ b/nixpkgs/pkgs/applications/networking/nym/update.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl jq nix-prefetch
+
+# adapted from rust-analyzer
+
+set -euo pipefail
+cd "$(dirname "$0")"
+nixpkgs=../../../..
+
+owner=$(sed -nE 's/.*\bowner = "(.*)".*/\1/p' ./default.nix)
+repo=$(sed -nE 's/.*\brepo = "(.*)".*/\1/p' ./default.nix)
+rev=$(
+    curl -s "https://api.github.com/repos/$owner/$repo/releases" |
+    jq 'map(select(.prerelease | not)) | .[0].tag_name' --raw-output
+)
+version=${rev:1}
+old_version=$(sed -nE 's/.*\bversion = "(.*)".*/\1/p' ./default.nix)
+if grep -q 'cargoSha256 = ""' ./default.nix; then
+    old_version='broken'
+fi
+if [[ "$version" == "$old_version" ]]; then
+    echo "Up to date: $version"
+    exit
+fi
+echo "$old_version -> $version"
+
+sha256=$(nix-prefetch -f "$nixpkgs" nym.src --rev "$rev")
+# Clear cargoSha256 to avoid inconsistency.
+sed -e "s/version = \".*\"/version = \"$version\"/" \
+    -e "s/sha256 = \".*\"/sha256 = \"$sha256\"/" \
+    -e "s/cargoSha256 = \".*\"/cargoSha256 = \"\"/" \
+    --in-place ./default.nix
+
+echo "Prebuilding for cargoSha256"
+cargo_sha256=$(nix-prefetch "{ sha256 }: (import $nixpkgs {}).nym.cargoDeps.overrideAttrs (_: { outputHash = sha256; })")
+sed "s/cargoSha256 = \".*\"/cargoSha256 = \"$cargo_sha256\"/" \
+    --in-place ./default.nix