]>
Commit | Line | Data |
---|---|---|
1a64deeb IB |
1 | { lib, pkgs, config, ... }: |
2 | let | |
3 | restrict = pkgs.runCommand "restrict" { | |
4 | file = ./restrict; | |
5 | buildInputs = [ pkgs.makeWrapper ]; | |
6 | } '' | |
7 | mkdir -p $out/bin | |
8 | cp $file $out/bin/restrict | |
9 | chmod a+x $out/bin/restrict | |
10 | patchShebangs $out/bin/restrict | |
11 | wrapProgram $out/bin/restrict \ | |
12 | --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \ | |
13 | --set TMUX_RESTRICT ${./tmux.restrict.conf} | |
14 | ''; | |
15 | in | |
16 | { | |
17 | options = { | |
18 | myServices.pub.enable = lib.mkOption { | |
19 | type = lib.types.bool; | |
20 | default = false; | |
21 | description = '' | |
22 | Whether to enable pub user. | |
23 | ''; | |
24 | }; | |
25 | myServices.pub.usersProfiles = lib.mkOption { | |
26 | type = lib.types.attrsOf (lib.types.listOf lib.types.package); | |
27 | default = {}; | |
28 | description = '' | |
29 | specific user profile | |
30 | ''; | |
31 | }; | |
32 | myServices.pub.restrictCommand = lib.mkOption { | |
33 | type = lib.types.path; | |
34 | readOnly = true; | |
35 | default = "${restrict}/bin/restrict"; | |
36 | description = '' | |
37 | path to the restrict shell | |
38 | ''; | |
39 | }; | |
40 | }; | |
41 | ||
42 | config = lib.mkIf config.myServices.pub.enable { | |
1c90c0dd IB |
43 | services.borgBackup.profiles.global.ignoredPaths = [ |
44 | "pub/.nix-.*" | |
45 | ]; | |
1a64deeb IB |
46 | myServices.dns.zones."immae.eu".subdomains.pub = |
47 | with config.myServices.dns.helpers; ips servers.eldiron.ips.main; | |
48 | ||
49 | myServices.chatonsProperties.services.vm-like = { | |
50 | file.datetime = "2022-08-22T01:00:00"; | |
51 | service = { | |
52 | name = "Comptes shell"; | |
53 | description = "Compte shell cloisonné"; | |
54 | logo = "https://www.openssh.com/favicon.ico"; | |
55 | website = "pub.immae.eu"; | |
56 | status.level = "OK"; | |
57 | status.description = "OK"; | |
58 | registration."" = ["MEMBER" "CLIENT"]; | |
59 | registration.load = "OPEN"; | |
60 | install.type = "PACKAGE"; | |
61 | }; | |
62 | software = { | |
63 | name = "Openssh"; | |
64 | website = "https://www.openssh.com/"; | |
65 | license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE"; | |
66 | license.name = "BSD Licence"; | |
67 | version = pkgs.openssh.version; | |
68 | source.url = "https://github.com/openssh/openssh-portable"; | |
69 | }; | |
70 | }; | |
71 | myServices.ssh.modules.pub = { | |
72 | snippet = builtins.readFile ./ldap_pub.sh; | |
73 | dependencies = [ pkgs.coreutils ]; | |
74 | vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu"; | |
75 | vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"; | |
76 | vars.echo_command = "${pkgs.coreutils}/bin/echo"; | |
77 | vars.restrict_command = "${restrict}/bin/restrict"; | |
78 | }; | |
79 | ||
80 | system.extraSystemBuilderCmds = let | |
81 | toPath = u: paths: pkgs.buildEnv { | |
82 | name = "${u}-profile"; | |
83 | inherit paths; | |
84 | }; | |
85 | in '' | |
86 | mkdir -p $out/pub | |
87 | ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)} | |
88 | ''; | |
89 | users.users.pub = let | |
90 | in { | |
91 | createHome = true; | |
92 | description = "Restricted shell user"; | |
93 | home = "/var/lib/pub"; | |
94 | uid = config.myEnv.users.pub.uid; | |
95 | isNormalUser = true; | |
96 | group = "nogroup"; | |
97 | useDefaultShell = true; | |
98 | packages = [ | |
99 | pkgs.tmux | |
100 | ]; | |
101 | }; | |
102 | }; | |
103 | } |