Estonian i-voting application

gistfile1.txt

{ stdenv
, lib

, fetchurl

, makeWrapper
, fontconfig
, libXft
, opensc
, xorg
, ...
}:

let
  newLibpath = lib.makeLibraryPath [
    fontconfig
    stdenv.cc.cc.lib
    xorg.libX11
    libXft
  ];

in
stdenv.mkDerivation {
  name = "i-voting-ee";
  version = "unstable-2024-06-06";

  src = fetchurl {
    url = "https://www.valimised.ee/valijarakendus/EP_2024_linux.bin";
    hash = "sha256-9jOkA595D2A0Dg9L8ycohPnjexATv7ZGYbKmBpVJwXI=";
    # f633a4039f790f60340e0f4bf3272884f9e37b1013bfb64661b2a6069549c172
    # as per https://www.valimised.ee/sites/default/files/2024-06/kontrollnumbrid-EP_2024%201.asice
  };

  nativeBuildInputs = [ makeWrapper ];

  dontUnpack = true;

  buildPhase = ''
    cp $src exe
    chmod +wx exe

    patchelf \
      --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
      --set-rpath "${newLibpath}:${opensc}/lib/pkcs11" \
      exe

    mkdir -p $out/bin/
    mv exe $out/bin/i-voting-ee

    wrapProgram $out/bin/i-voting-ee \
      --set EVOTE_PKCS11_LIB ${opensc}/lib/pkcs11/opensc-pkcs11.so
  '';
}

Can be sandboxed with something like this:

bwrap --ro-bind /nix/store /nix/store --tmpfs /tmp --dev-bind /dev /dev --proc /proc --ro-bind /run/user/$(id -u) /run/user/$(id -u) --bind /tmp/.X11-unix/X1 /tmp/.X11-unix/X1 --bind /run/pcscd/pcscd.comm /run/pcscd/pcscd.comm --setenv DISPLAY :1 --unshare-all --share-net --die-with-parent --new-session $(readlink result)/bin/i-voting-ee