[perso/Immae/Config/Nix.git] / nixops / modules / pub / restrict

#!/usr/bin/env bash
user="$1"
rootuser="$HOME/$user/"
mkdir -p $rootuser
mkdir -p $HOME/$user-nixstore

orig="$SSH_ORIGINAL_COMMAND"
if [ -z "$orig" ]; then
  orig="/bin/bash -l"
fi
if [ "${orig:0:7}" = "command" ]; then
  orig="${orig:8}"
fi

case "$orig" in
rsync*)
        rrsync $HOME/$user/
        ;;
*)
        nix_store_paths() {
          nix-store -q -R \
               /run/current-system/sw \
               /etc/profiles/per-user/pub \
               /etc/ssl/certs/ca-bundle.crt \
               | while read i; do
            printf '%s--ro-bind\0'$i'\0'$i'\0' ''
          done
        }

        set -euo pipefail
        (exec -c bwrap --ro-bind /usr /usr \
              --bind /var/lib/pub/$user-nixstore /nix \
              --args 10 \
              --dir /tmp \
              --dir /var \
              --symlink ../tmp var/tmp \
              --proc /proc \
              --dev /dev \
              --ro-bind /etc/resolv.conf /etc/resolv.conf \
              --ro-bind /etc/zoneinfo /etc/zoneinfo \
              --ro-bind /etc/ssl /etc/ssl \
              --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
              --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
              --ro-bind /run/current-system/sw/bin /bin \
              --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
              --bind /var/lib/pub/$user /var/lib/pub \
              --ro-bind $TMUX_RESTRICT /var/lib/pub/.tmux.restrict.conf \
              --chdir /var/lib/pub \
              --unshare-all \
              --share-net \
              --dir /run/user/$(id -u) \
              --setenv TERM "$TERM" \
              --setenv LOCALE_ARCHIVE "/etc/locale-archive" \
              --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
              --setenv PS1 "$user@pub $ " \
              --setenv PATH "/bin:/bin-pub" \
              --setenv HOME "/var/lib/pub" \
              --file 11 /etc/passwd \
              --file 12 /etc/group \
              -- $orig) \
              10< <(nix_store_paths) \
              11< <(getent passwd $UID 65534) \
              12< <(getent group $(id -g) 65534)
        ;;
esac
Commit	Line	Data
5ccc61bb IB	1	#!/usr/bin/env bash
	2	user="$1"
	3	rootuser="$HOME/$user/"
	4	mkdir -p $rootuser
43e28479	5	mkdir -p $HOME/$user-nixstore
5ccc61bb IB	6
	7	orig="$SSH_ORIGINAL_COMMAND"
	8	if [ -z "$orig" ]; then
	9	orig="/bin/bash -l"
	10	fi
	11	if [ "${orig:0:7}" = "command" ]; then
	12	orig="${orig:8}"
	13	fi
	14
	15	case "$orig" in
	16	rsync*)
	17	rrsync $HOME/$user/
	18	;;
	19	*)
	20	nix_store_paths() {
	21	nix-store -q -R \
	22	/run/current-system/sw \
	23	/etc/profiles/per-user/pub \
43e28479	24	/etc/ssl/certs/ca-bundle.crt \
5ccc61bb	25	\| while read i; do
43e28479	26	printf '%s--ro-bind\0'$i'\0'$i'\0' ''
5ccc61bb IB	27	done
	28	}
	29
	30	set -euo pipefail
	31	(exec -c bwrap --ro-bind /usr /usr \
43e28479	32	--bind /var/lib/pub/$user-nixstore /nix \
5ccc61bb IB	33	--args 10 \
	34	--dir /tmp \
	35	--dir /var \
	36	--symlink ../tmp var/tmp \
	37	--proc /proc \
	38	--dev /dev \
	39	--ro-bind /etc/resolv.conf /etc/resolv.conf \
1be1a523	40	--ro-bind /etc/zoneinfo /etc/zoneinfo \
43e28479 IB	41	--ro-bind /etc/ssl /etc/ssl \
43e28479 IB	42	--ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
5ccc61bb IB	43	--ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
	44	--ro-bind /run/current-system/sw/bin /bin \
	45	--ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
	46	--bind /var/lib/pub/$user /var/lib/pub \
	47	--ro-bind $TMUX_RESTRICT /var/lib/pub/.tmux.restrict.conf \
	48	--chdir /var/lib/pub \
	49	--unshare-all \
	50	--share-net \
	51	--dir /run/user/$(id -u) \
	52	--setenv TERM "$TERM" \
	53	--setenv LOCALE_ARCHIVE "/etc/locale-archive" \
	54	--setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
	55	--setenv PS1 "$user@pub $ " \
	56	--setenv PATH "/bin:/bin-pub" \
	57	--setenv HOME "/var/lib/pub" \
	58	--file 11 /etc/passwd \
	59	--file 12 /etc/group \
	60	-- $orig) \
	61	10< <(nix_store_paths) \
	62	11< <(getent passwd $UID 65534) \
	63	12< <(getent group $(id -g) 65534)
	64	;;
	65	esac