1 { lib, pkgs, config, ... }:
3 restrict = pkgs.runCommand "restrict" {
5 buildInputs = [ pkgs.makeWrapper ];
8 cp $file $out/bin/restrict
9 chmod a+x $out/bin/restrict
10 patchShebangs $out/bin/restrict
11 wrapProgram $out/bin/restrict \
12 --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
13 --set TMUX_RESTRICT ${./tmux.restrict.conf}
18 myServices.pub.enable = lib.mkOption {
19 type = lib.types.bool;
22 Whether to enable pub user.
25 myServices.pub.usersProfiles = lib.mkOption {
26 type = lib.types.attrsOf (lib.types.listOf lib.types.package);
32 myServices.pub.restrictCommand = lib.mkOption {
33 type = lib.types.path;
35 default = "${restrict}/bin/restrict";
37 path to the restrict shell
42 config = lib.mkIf config.myServices.pub.enable {
43 services.borgBackup.profiles.global.ignoredPaths = [
46 myServices.dns.zones."immae.eu".subdomains.pub =
47 with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
49 myServices.chatonsProperties.services.vm-like = {
50 file.datetime = "2022-08-22T01:00:00";
52 name = "Comptes shell";
53 description = "Compte shell cloisonné";
54 logo = "https://www.openssh.com/favicon.ico";
55 website = "pub.immae.eu";
57 status.description = "OK";
58 registration."" = ["MEMBER" "CLIENT"];
59 registration.load = "OPEN";
60 install.type = "PACKAGE";
64 website = "https://www.openssh.com/";
65 license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE";
66 license.name = "BSD Licence";
67 version = pkgs.openssh.version;
68 source.url = "https://github.com/openssh/openssh-portable";
71 myServices.ssh.modules.pub = {
72 snippet = builtins.readFile ./ldap_pub.sh;
73 dependencies = [ pkgs.coreutils ];
74 vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu";
75 vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu";
76 vars.echo_command = "${pkgs.coreutils}/bin/echo";
77 vars.restrict_command = "${restrict}/bin/restrict";
80 system.extraSystemBuilderCmds = let
81 toPath = u: paths: pkgs.buildEnv {
82 name = "${u}-profile";
87 ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)}
92 description = "Restricted shell user";
93 home = "/var/lib/pub";
94 uid = config.myEnv.users.pub.uid;
97 useDefaultShell = true;