--- /dev/null
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+{
+ options = {
+ services.pub.enable = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ Whether to enable pub user.
+ '';
+ };
+ };
+
+ config = lib.mkIf config.services.pub.enable {
+ users.users.pub = let
+ restrict = pkgs.runCommand "restrict" {
+ file = ./restrict;
+ buildInputs = [ pkgs.makeWrapper ];
+ } ''
+ mkdir -p $out/bin
+ cp $file $out/bin/restrict
+ chmod a+x $out/bin/restrict
+ patchShebangs $out/bin/restrict
+ wrapProgram $out/bin/restrict \
+ --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
+ --set TMUX_RESTRICT ${./tmux.restrict.conf}
+ '';
+ in {
+ createHome = true;
+ description = "Restricted shell user";
+ home = "/var/lib/pub";
+ uid = myconfig.env.users.pub.uid;
+ useDefaultShell = true;
+ packages = [
+ restrict
+ pkgs.tmux
+ (pkgs.pidgin.override { plugins = [
+ pkgs.purple-plugin-pack pkgs.purple-hangouts
+ pkgs.purple-discord pkgs.purple-facebook
+ pkgs.telegram-purple
+ ]; })
+ ];
+ };
+ };
+}