projects / perso / Immae / Config / Nix.git / blame
| Commit | Line | Data |
|---|---|---|
| 1a64deeb IB |
1 | { lib, pkgs, config, ... }: |
| 2 | let | |
| 3 | restrict = pkgs.runCommand "restrict" { | |
| 4 | file = ./restrict; | |
| 5 | buildInputs = [ pkgs.makeWrapper ]; | |
| 6 | } '' | |
| 7 | mkdir -p $out/bin | |
| 8 | cp $file $out/bin/restrict | |
| 9 | chmod a+x $out/bin/restrict | |
| 10 | patchShebangs $out/bin/restrict | |
| 11 | wrapProgram $out/bin/restrict \ | |
| 12 | --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \ | |
| 13 | --set TMUX_RESTRICT ${./tmux.restrict.conf} | |
| 14 | ''; | |
| 15 | in | |
| 16 | { | |
| 17 | options = { | |
| 18 | myServices.pub.enable = lib.mkOption { | |
| 19 | type = lib.types.bool; | |
| 20 | default = false; | |
| 21 | description = '' | |
| 22 | Whether to enable pub user. | |
| 23 | ''; | |
| 24 | }; | |
| 25 | myServices.pub.usersProfiles = lib.mkOption { | |
| 26 | type = lib.types.attrsOf (lib.types.listOf lib.types.package); | |
| 27 | default = {}; | |
| 28 | description = '' | |
| 29 | specific user profile | |
| 30 | ''; | |
| 31 | }; | |
| 32 | myServices.pub.restrictCommand = lib.mkOption { | |
| 33 | type = lib.types.path; | |
| 34 | readOnly = true; | |
| 35 | default = "${restrict}/bin/restrict"; | |
| 36 | description = '' | |
| 37 | path to the restrict shell | |
| 38 | ''; | |
| 39 | }; | |
| 40 | }; | |
| 41 | ||
| 42 | config = lib.mkIf config.myServices.pub.enable { | |
| 1c90c0dd IB |
43 | services.borgBackup.profiles.global.ignoredPaths = [ |
| 44 | "pub/.nix-.*" | |
| 45 | ]; | |
| 1a64deeb IB |
46 | myServices.dns.zones."immae.eu".subdomains.pub = |
| 47 | with config.myServices.dns.helpers; ips servers.eldiron.ips.main; | |
| 48 | ||
| 49 | myServices.chatonsProperties.services.vm-like = { | |
| 50 | file.datetime = "2022-08-22T01:00:00"; | |
| 51 | service = { | |
| 52 | name = "Comptes shell"; | |
| 53 | description = "Compte shell cloisonné"; | |
| 54 | logo = "https://www.openssh.com/favicon.ico"; | |
| 55 | website = "pub.immae.eu"; | |
| 56 | status.level = "OK"; | |
| 57 | status.description = "OK"; | |
| 58 | registration."" = ["MEMBER" "CLIENT"]; | |
| 59 | registration.load = "OPEN"; | |
| 60 | install.type = "PACKAGE"; | |
| 61 | }; | |
| 62 | software = { | |
| 63 | name = "Openssh"; | |
| 64 | website = "https://www.openssh.com/"; | |
| 65 | license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE"; | |
| 66 | license.name = "BSD Licence"; | |
| 67 | version = pkgs.openssh.version; | |
| 68 | source.url = "https://github.com/openssh/openssh-portable"; | |
| 69 | }; | |
| 70 | }; | |
| 71 | myServices.ssh.modules.pub = { | |
| 72 | snippet = builtins.readFile ./ldap_pub.sh; | |
| 73 | dependencies = [ pkgs.coreutils ]; | |
| 74 | vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu"; | |
| 75 | vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"; | |
| 76 | vars.echo_command = "${pkgs.coreutils}/bin/echo"; | |
| 77 | vars.restrict_command = "${restrict}/bin/restrict"; | |
| 78 | }; | |
| 79 | ||
| 80 | system.extraSystemBuilderCmds = let | |
| 81 | toPath = u: paths: pkgs.buildEnv { | |
| 82 | name = "${u}-profile"; | |
| 83 | inherit paths; | |
| 84 | }; | |
| 85 | in '' | |
| 86 | mkdir -p $out/pub | |
| 87 | ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)} | |
| 88 | ''; | |
| 89 | users.users.pub = let | |
| 90 | in { | |
| 91 | createHome = true; | |
| 92 | description = "Restricted shell user"; | |
| 93 | home = "/var/lib/pub"; | |
| 94 | uid = config.myEnv.users.pub.uid; | |
| 95 | isNormalUser = true; | |
| 96 | group = "nogroup"; | |
| 97 | useDefaultShell = true; | |
| 98 | packages = [ | |
| 99 | pkgs.tmux | |
| 100 | ]; | |
| 101 | }; | |
| 102 | }; | |
| 103 | } |