NixOS · sund3RRR · Dec 24, 2024
diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -29,6 +29,8 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
+- [AmneziaVPN](https://amnezia.org/en), an open-source VPN client, with a key feature that enables you to deploy your own VPN server on your server. Available as [programs.amnezia-vpn](#opt-programs.amnezia-vpn.enable).
+
 - [Bazecor](https://github.com/Dygmalab/Bazecor), the graphical configurator for Dygma Products.
 
 - [Bonsai](https://git.sr.ht/~stacyharper/bonsai), a general-purpose event mapper/state machine primarily used to create complex key shortcuts, and as part of the [SXMO](https://sxmo.org/) desktop environment. Available as [services.bonsaid](#opt-services.bonsaid.enable).

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -149,6 +149,7 @@
   ./programs/_1password.nix
   ./programs/adb.nix
   ./programs/alvr.nix
+  ./programs/amnezia-vpn.nix
   ./programs/appgate-sdp.nix
   ./programs/appimage.nix
   ./programs/arp-scan.nix

diff --git a/nixos/modules/programs/amnezia-vpn.nix b/nixos/modules/programs/amnezia-vpn.nix
@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.programs.amnezia-vpn;
+in
+{
+  options.programs.amnezia-vpn = {
+    enable = lib.mkEnableOption "The AmneziaVPN client";
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.amnezia-vpn ];
+
+    services.dbus.packages = [ pkgs.amnezia-vpn ];
+    services.resolved.enable = true;
+
+    systemd = {
+      services.amnezia-vpn = {
+        description = "AmneziaVPN Service";
+        after = [ "network.target" ];
+        startLimitIntervalSec = 0;
+        serviceConfig = {
+          Type = "simple";
+          Restart = "always";
+          RestartSec = 1;
+          ExecStart = "${pkgs.amnezia-vpn}/bin/AmneziaVPN-service";
+        };
+        wantedBy = [ "multi-user.target" ];
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ sund3RRR ];
+}
diff --git a/pkgs/by-name/am/amnezia-vpn/amnezia-tun2socks/default.nix b/pkgs/by-name/am/amnezia-vpn/amnezia-tun2socks/default.nix
@@ -0,0 +1,34 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitHub,
+}:
+
+buildGoModule rec {
+  pname = "amnezia-tun2socks";
+  version = "2.5.4";
+
+  src = fetchFromGitHub {
+    owner = "amnezia-vpn";
+    repo = "amnezia-tun2socks";
+    rev = "v${version}";
+    hash = "sha256-lHo7WtcqccBSHly6neuksh1gC7RCKxbFNX9KSKNNeK8=";
+  };
+
+  vendorHash = "sha256-VvOaTJ6dBFlbGZGxnHy2sCtds1tyhu6VsPewYpsDBiM=";
+
+  ldflags = [
+    "-w"
+    "-s"
+    "-X github.com/amnezia-vpn/amnezia-tun2socks/v2/internal/version.Version=v${version}"
+    "-X github.com/amnezia-vpn/amnezia-tun2socks/v2/internal/version.GitCommit=v${version}"
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/amnezia-vpn/amnezia-tun2socks";
+    description = "Amnezia tun2socks - powered by gVisor TCP/IP stack";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ sund3RRR ];
+    mainProgram = "tun2socks";
+  };
+}
diff --git a/pkgs/by-name/am/amnezia-vpn/amnezia-xray/default.nix b/pkgs/by-name/am/amnezia-vpn/amnezia-xray/default.nix
@@ -0,0 +1,67 @@
+{
+  lib,
+  fetchFromGitHub,
+  symlinkJoin,
+  buildGoModule,
+  makeWrapper,
+  nix-update-script,
+  v2ray-geoip,
+  v2ray-domain-list-community,
+  assets ? [
+    v2ray-geoip
+    v2ray-domain-list-community
+  ],
+}:
+
+buildGoModule rec {
+  pname = "amnezia-xray-core";
+  version = "1.8.13";
+
+  src = fetchFromGitHub {
+    owner = "amnezia-vpn";
+    repo = "amnezia-xray-core";
+    rev = "v${version}";
+    hash = "sha256-7XYdogoUEv3kTPTOQwRCohsPtfSDf+aRdI28IkTjvPk=";
+  };
+
+  vendorHash = "sha256-zArdGj5yeRxU0X4jNgT5YBI9SJUyrANDaqNPAPH3d5M=";
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  doCheck = false;
+
+  ldflags = [
+    "-s"
+    "-w"
+  ];
+  subPackages = [ "main" ];
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm555 "$GOPATH"/bin/main $out/bin/xray
+    runHook postInstall
+  '';
+
+  assetsDrv = symlinkJoin {
+    name = "v2ray-assets";
+    paths = assets;
+  };
+
+  postFixup = ''
+    wrapProgram $out/bin/xray \
+      --set-default V2RAY_LOCATION_ASSET $assetsDrv/share/v2ray \
+      --set-default XRAY_LOCATION_ASSET $assetsDrv/share/v2ray
+  '';
+
+  passthru = {
+    updateScript = nix-update-script { };
+  };
+
+  meta = {
+    description = "Platform for building proxies to bypass network restrictions. A replacement for v2ray-core, with XTLS support and fully compatible configuration";
+    mainProgram = "xray";
+    homepage = "https://github.com/amnezia-vpn/amnezia-xray-core";
+    license = with lib.licenses; [ mpl20 ];
+    maintainers = with lib.maintainers; [ sund3RRR ];
+  };
+}
diff --git a/pkgs/by-name/am/amnezia-vpn/package.nix b/pkgs/by-name/am/amnezia-vpn/package.nix
@@ -0,0 +1,133 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  cmake,
+  pkg-config,
+  kdePackages,
+  qt6,
+  libsecret,
+  xdg-utils,
+  amneziawg-go,
+  openvpn,
+  shadowsocks-rust,
+  cloak-pt,
+  wireguard-tools,
+  callPackage,
+  busybox,
+  sudo,
+}:
+let
+  amnezia-tun2socks = callPackage ./amnezia-tun2socks { };
+  amnezia-xray = callPackage ./amnezia-xray { };
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "amnezia-vpn";
+  version = "4.8.2.3";
+
+  src = fetchFromGitHub {
+    owner = "amnezia-vpn";
+    repo = "amnezia-client";
+    rev = "refs/tags/${finalAttrs.version}";
+    hash = "sha256-bCWPyRW2xnnopcwfPHgQrdP85Ct0CDufJRQ1PvCAiDE=";
+    fetchSubmodules = true;
+  };
+
+  postPatch = ''
+    # fix amneziaWG protocol
+    substituteInPlace client/platforms/linux/daemon/wireguardutilslinux.cpp \
+      --replace-fail 'm_tunnel.start(appPath.filePath("../../client/bin/wireguard-go"), wgArgs);' 'm_tunnel.start("${amneziawg-go}/bin/amneziawg-go", wgArgs);'
+
+    # fix service dns flush
+    substituteInPlace service/server/router_linux.cpp \
+      --replace-fail '|| QFileInfo::exists("/usr/lib/systemd/system/nscd.service"))' '|| QFileInfo::exists("/run/systemd/propagate/nscd.service"))'
+
+    # fix openvpn, wg-quick and tun2socks executables
+    # fix SIGSEGV due to missing return value
+    substituteInPlace client/utilities.cpp \
+      --replace-fail 'return Utils::executable("../../client/bin/openvpn", true);' 'return Utils::executable("${openvpn}/bin/openvpn", false);' \
+      --replace-fail 'return Utils::executable("../../client/bin/tun2socks", true);' 'return Utils::executable("${amnezia-tun2socks}/bin/amnezia-tun2socks", false);' \
+      --replace-fail 'return Utils::usrExecutable("wg-quick");' 'return Utils::executable("${wireguard-tools}/bin/wg-quick", false);' \
+      --replace-fail 'QProcess::execute(QString("pkill %1").arg(name));' 'QProcess::execute(QString("pkill -f %1").arg(name)); return true;' \
+
+    # fix xray executable
+    substituteInPlace client/protocols/xrayprotocol.cpp \
+      --replace-fail 'return Utils::executable(QString("xray"), true);' 'return Utils::executable(QString("${amnezia-xray}/bin/xray"), false);'
+
+    # fix openvpn over cloak protocol
+    substituteInPlace client/protocols/openvpnovercloakprotocol.cpp \
+      --replace-fail 'return Utils::executable(QString("/ck-client"), true);' 'return Utils::executable(QString("${cloak-pt}/bin/ck-client"), false);'
+
+    # fix openvpn over ss protocol
+    substituteInPlace client/protocols/shadowsocksvpnprotocol.cpp \
+      --replace-fail 'return Utils::executable(QString("/ss-local"), true);' 'return Utils::executable(QString("${shadowsocks-rust}/bin/sslocal"), false);'
+
+    # fix update-resolv-conf.sh path
+    substituteInPlace client/configurators/openvpn_configurator.cpp \
+      --replace-fail ".arg(qApp->applicationDirPath());" ".arg(\"$out/local/bin\");"
+
+    # fix icon path
+    substituteInPlace client/ui/qautostart.cpp \
+      --replace-fail "/usr/share/pixmaps/AmneziaVPN.png" "$out/share/pixmaps/AmneziaVPN.png"
+
+    # fix desktop item
+    substituteInPlace deploy/installer/config/AmneziaVPN.desktop.in \
+      --replace-fail "#!/usr/bin/env xdg-open" "#!${xdg-utils}/bin/xdg-open" \
+      --replace-fail "/usr/share/pixmaps/AmneziaVPN.png" "$out/share/pixmaps/AmneziaVPN.png"
+  '';
+
+  strictDeps = true;
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+    qt6.wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    libsecret
+    qt6.qtbase
+    qt6.qttools
+    kdePackages.qtremoteobjects
+    kdePackages.qtsvg
+    kdePackages.qt5compat
+  ];
+
+  qtWrapperArgs = [
+    ''--prefix PATH : ${
+      lib.makeBinPath [
+        busybox
+        sudo
+      ]
+    }''
+  ];
+
+  postInstall = ''
+    # install AmneziaVPN and AmneziaVPN-service
+    mkdir -p $out/bin
+    cp client/AmneziaVPN $out/bin/
+    cp service/server/AmneziaVPN-service $out/bin/
+
+    # install update-resolv-conf.sh
+    mkdir -p $out/local/bin
+    cp ../deploy/data/linux/client/bin/update-resolv-conf.sh $out/local/bin/
+
+    # install .desktop item
+    mkdir -p $out/share/applications
+    cp ../AppDir/AmneziaVPN.desktop $out/share/applications/
+
+    # install icon
+    mkdir -p $out/share/pixmaps/
+    cp ../deploy/data/linux/AmneziaVPN.png $out/share/pixmaps/
+  '';
+
+  meta = with lib; {
+    description = "Amnezia VPN Client";
+    downloadPage = "https://amnezia.org/en/downloads";
+    homepage = "https://amnezia.org/en";
+    license = licenses.gpl3;
+    mainProgram = "AmneziaVPN";
+    maintainers = with maintainers; [ sund3RRR ];
+    platforms = platforms.unix;
+  };
+})