1 files changed, 55 insertions, 0 deletions

diff --git a/pkgs/tools/security/orjail/default.nix b/pkgs/tools/security/orjail/default.nix
new file mode 100644
index 00000000000..adcbf5ae4f9
--- /dev/null
+++ b/pkgs/tools/security/orjail/default.nix
@@ -0,0 +1,55 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, tor
+, firejail
+, iptables
+, makeWrapper
+}:
+
+stdenv.mkDerivation rec {
+  pname = "orjail";
+  version = "1.1";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "06bwqb3l7syy4c1d8xynxwakmdxvm3qfm8r834nidsknvpdckd9z";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  postPatch = ''
+    patchShebangs make-helper.bsh
+    mkdir bin
+    mv usr/sbin/orjail bin/orjail
+    rm -r usr
+  '';
+
+  makeFlags = [
+    "DESTDIR=${placeholder "out"}"
+  ];
+
+  postInstall = ''
+    # Specify binary paths: tor, firejail, iptables
+    # mktemp fails with /tmp path prefix, will work without it anyway
+    # https://github.com/orjail/orjail/issues/78
+    # firejail will fail reading /etc/hosts, therefore remove --hostname arg
+    # https://github.com/netblue30/firejail/issues/2758
+    substituteInPlace $out/bin/orjail \
+      --replace ''$'TORBIN=\n' ''$'TORBIN=${tor}/bin/tor\n' \
+      --replace ''$'FIREJAILBIN=\n' ''$'FIREJAILBIN=${firejail}/bin/firejail\n' \
+      --replace 'iptables -' '${iptables}/bin/iptables -' \
+      --replace 'mktemp /tmp/' 'mktemp ' \
+      --replace '--hostname=host ' ""
+  '';
+
+  meta = with lib; {
+    description = "Force programs to exclusively use tor network";
+    homepage = "https://github.com/orjail/orjail";
+    license = licenses.wtfpl;
+    maintainers = with maintainers; [ onny ];
+    platforms = platforms.linux;
+  };
+}