]>
Commit | Line | Data |
---|---|---|
5ccc61bb IB |
1 | #!/usr/bin/env bash |
2 | user="$1" | |
3 | rootuser="$HOME/$user/" | |
4 | mkdir -p $rootuser | |
5 | ||
6 | orig="$SSH_ORIGINAL_COMMAND" | |
7 | if [ -z "$orig" ]; then | |
8 | orig="/bin/bash -l" | |
9 | fi | |
10 | if [ "${orig:0:7}" = "command" ]; then | |
11 | orig="${orig:8}" | |
12 | fi | |
13 | ||
14 | case "$orig" in | |
15 | rsync*) | |
16 | rrsync $HOME/$user/ | |
17 | ;; | |
18 | *) | |
19 | nix_store_paths() { | |
20 | nix-store -q -R \ | |
21 | /run/current-system/sw \ | |
22 | /etc/profiles/per-user/pub \ | |
43e28479 | 23 | /etc/ssl/certs/ca-bundle.crt \ |
5ccc61bb | 24 | | while read i; do |
43e28479 | 25 | printf '%s--ro-bind\0'$i'\0'$i'\0' '' |
5ccc61bb IB |
26 | done |
27 | } | |
28 | ||
29 | set -euo pipefail | |
30 | (exec -c bwrap --ro-bind /usr /usr \ | |
31 | --args 10 \ | |
32 | --dir /tmp \ | |
33 | --dir /var \ | |
34 | --symlink ../tmp var/tmp \ | |
35 | --proc /proc \ | |
36 | --dev /dev \ | |
37 | --ro-bind /etc/resolv.conf /etc/resolv.conf \ | |
1be1a523 | 38 | --ro-bind /etc/zoneinfo /etc/zoneinfo \ |
43e28479 IB |
39 | --ro-bind /etc/ssl /etc/ssl \ |
40 | --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \ | |
5ccc61bb IB |
41 | --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \ |
42 | --ro-bind /run/current-system/sw/bin /bin \ | |
43 | --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \ | |
44 | --bind /var/lib/pub/$user /var/lib/pub \ | |
7e5b0260 IB |
45 | --dir /var/lib/commons \ |
46 | --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \ | |
5ccc61bb IB |
47 | --chdir /var/lib/pub \ |
48 | --unshare-all \ | |
49 | --share-net \ | |
50 | --dir /run/user/$(id -u) \ | |
51 | --setenv TERM "$TERM" \ | |
52 | --setenv LOCALE_ARCHIVE "/etc/locale-archive" \ | |
53 | --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ | |
54 | --setenv PS1 "$user@pub $ " \ | |
55 | --setenv PATH "/bin:/bin-pub" \ | |
56 | --setenv HOME "/var/lib/pub" \ | |
57 | --file 11 /etc/passwd \ | |
58 | --file 12 /etc/group \ | |
59 | -- $orig) \ | |
60 | 10< <(nix_store_paths) \ | |
61 | 11< <(getent passwd $UID 65534) \ | |
62 | 12< <(getent group $(id -g) 65534) | |
63 | ;; | |
64 | esac |