X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fpub%2Frestrict;fp=modules%2Fprivate%2Fpub%2Frestrict;h=b2f3be369f1a60fb0efb56d7d04e8cdcc0a687c2;hb=8d213e2b1c934f6861f76aad5eb7c11097fa97de;hp=0000000000000000000000000000000000000000;hpb=a1a8649a2be768685eb04c246c114fce36b8096f;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/pub/restrict b/modules/private/pub/restrict
new file mode 100644
index 0000000..b2f3be3
--- /dev/null
+++ b/modules/private/pub/restrict
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+user="$1"
+rootuser="$HOME/$user/"
+mkdir -p $rootuser
+
+orig="$SSH_ORIGINAL_COMMAND"
+if [ -z "$orig" ]; then
+  orig="/bin/bash -l"
+fi
+if [ "${orig:0:7}" = "command" ]; then
+  orig="${orig:8}"
+fi
+
+case "$orig" in
+rsync*)
+        rrsync $HOME/$user/
+        ;;
+*)
+        nix_store_paths() {
+          nix-store -q -R \
+               /run/current-system/sw \
+               /etc/profiles/per-user/pub \
+               /etc/ssl/certs/ca-bundle.crt \
+               | while read i; do
+            printf '%s--ro-bind\0'$i'\0'$i'\0' ''
+          done
+        }
+
+        set -euo pipefail
+        (exec -c bwrap --ro-bind /usr /usr \
+              --args 10 \
+              --dir /tmp \
+              --dir /var \
+              --symlink ../tmp var/tmp \
+              --proc /proc \
+              --dev /dev \
+              --ro-bind /etc/resolv.conf /etc/resolv.conf \
+              --ro-bind /etc/zoneinfo /etc/zoneinfo \
+              --ro-bind /etc/ssl /etc/ssl \
+              --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
+              --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
+              --ro-bind /run/current-system/sw/bin /bin \
+              --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
+              --bind /var/lib/pub/$user /var/lib/pub \
+              --dir /var/lib/commons \
+              --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \
+              --chdir /var/lib/pub \
+              --unshare-all \
+              --share-net \
+              --dir /run/user/$(id -u) \
+              --setenv TERM "$TERM" \
+              --setenv LOCALE_ARCHIVE "/etc/locale-archive" \
+              --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
+              --setenv PS1 "$user@pub $ " \
+              --setenv PATH "/bin:/bin-pub" \
+              --setenv HOME "/var/lib/pub" \
+              --file 11 /etc/passwd \
+              --file 12 /etc/group \
+              -- $orig) \
+              10< <(nix_store_paths) \
+              11< <(getent passwd $UID 65534) \
+              12< <(getent group $(id -g) 65534)
+        ;;
+esac