-#!/usr/bin/env bash
-user="$1"
-rootuser="$HOME/$user/"
-mkdir -p $rootuser
-
-orig="$SSH_ORIGINAL_COMMAND"
-if [ -z "$orig" ]; then
- orig="/bin/bash -l"
-fi
-if [ "${orig:0:7}" = "command" ]; then
- orig="${orig:8}"
-fi
-
-case "$orig" in
-rsync*)
- rrsync $HOME/$user/
- ;;
-*)
- nix_store_paths() {
- nix-store -q -R \
- /run/current-system/sw \
- /etc/profiles/per-user/pub \
- /etc/ssl/certs/ca-bundle.crt \
- | while read i; do
- printf '%s--ro-bind\0'$i'\0'$i'\0' ''
- done
- }
-
- set -euo pipefail
- (exec -c bwrap --ro-bind /usr /usr \
- --args 10 \
- --dir /tmp \
- --dir /var \
- --symlink ../tmp var/tmp \
- --proc /proc \
- --dev /dev \
- --ro-bind /etc/resolv.conf /etc/resolv.conf \
- --ro-bind /etc/zoneinfo /etc/zoneinfo \
- --ro-bind /etc/ssl /etc/ssl \
- --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
- --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
- --ro-bind /run/current-system/sw/bin /bin \
- --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
- --bind /var/lib/pub/$user /var/lib/pub \
- --dir /var/lib/commons \
- --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \
- --chdir /var/lib/pub \
- --unshare-all \
- --share-net \
- --dir /run/user/$(id -u) \
- --setenv TERM "$TERM" \
- --setenv LOCALE_ARCHIVE "/etc/locale-archive" \
- --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
- --setenv PS1 "$user@pub $ " \
- --setenv PATH "/bin:/bin-pub" \
- --setenv HOME "/var/lib/pub" \
- --file 11 /etc/passwd \
- --file 12 /etc/group \
- -- $orig) \
- 10< <(nix_store_paths) \
- 11< <(getent passwd $UID 65534) \
- 12< <(getent group $(id -g) 65534)
- ;;
-esac