]>
Commit | Line | Data |
---|---|---|
1a64deeb IB |
1 | { lib, pkgs, config, ... }: |
2 | let | |
3 | restrict = pkgs.runCommand "restrict" { | |
4 | file = ./restrict; | |
5 | buildInputs = [ pkgs.makeWrapper ]; | |
6 | } '' | |
7 | mkdir -p $out/bin | |
8 | cp $file $out/bin/restrict | |
9 | chmod a+x $out/bin/restrict | |
10 | patchShebangs $out/bin/restrict | |
11 | wrapProgram $out/bin/restrict \ | |
12 | --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \ | |
13 | --set TMUX_RESTRICT ${./tmux.restrict.conf} | |
14 | ''; | |
15 | in | |
16 | { | |
17 | options = { | |
18 | myServices.pub.enable = lib.mkOption { | |
19 | type = lib.types.bool; | |
20 | default = false; | |
21 | description = '' | |
22 | Whether to enable pub user. | |
23 | ''; | |
24 | }; | |
25 | myServices.pub.usersProfiles = lib.mkOption { | |
26 | type = lib.types.attrsOf (lib.types.listOf lib.types.package); | |
27 | default = {}; | |
28 | description = '' | |
29 | specific user profile | |
30 | ''; | |
31 | }; | |
32 | myServices.pub.restrictCommand = lib.mkOption { | |
33 | type = lib.types.path; | |
34 | readOnly = true; | |
35 | default = "${restrict}/bin/restrict"; | |
36 | description = '' | |
37 | path to the restrict shell | |
38 | ''; | |
39 | }; | |
40 | }; | |
41 | ||
42 | config = lib.mkIf config.myServices.pub.enable { | |
43 | myServices.dns.zones."immae.eu".subdomains.pub = | |
44 | with config.myServices.dns.helpers; ips servers.eldiron.ips.main; | |
45 | ||
46 | myServices.chatonsProperties.services.vm-like = { | |
47 | file.datetime = "2022-08-22T01:00:00"; | |
48 | service = { | |
49 | name = "Comptes shell"; | |
50 | description = "Compte shell cloisonné"; | |
51 | logo = "https://www.openssh.com/favicon.ico"; | |
52 | website = "pub.immae.eu"; | |
53 | status.level = "OK"; | |
54 | status.description = "OK"; | |
55 | registration."" = ["MEMBER" "CLIENT"]; | |
56 | registration.load = "OPEN"; | |
57 | install.type = "PACKAGE"; | |
58 | }; | |
59 | software = { | |
60 | name = "Openssh"; | |
61 | website = "https://www.openssh.com/"; | |
62 | license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE"; | |
63 | license.name = "BSD Licence"; | |
64 | version = pkgs.openssh.version; | |
65 | source.url = "https://github.com/openssh/openssh-portable"; | |
66 | }; | |
67 | }; | |
68 | myServices.ssh.modules.pub = { | |
69 | snippet = builtins.readFile ./ldap_pub.sh; | |
70 | dependencies = [ pkgs.coreutils ]; | |
71 | vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu"; | |
72 | vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"; | |
73 | vars.echo_command = "${pkgs.coreutils}/bin/echo"; | |
74 | vars.restrict_command = "${restrict}/bin/restrict"; | |
75 | }; | |
76 | ||
77 | system.extraSystemBuilderCmds = let | |
78 | toPath = u: paths: pkgs.buildEnv { | |
79 | name = "${u}-profile"; | |
80 | inherit paths; | |
81 | }; | |
82 | in '' | |
83 | mkdir -p $out/pub | |
84 | ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)} | |
85 | ''; | |
86 | users.users.pub = let | |
87 | in { | |
88 | createHome = true; | |
89 | description = "Restricted shell user"; | |
90 | home = "/var/lib/pub"; | |
91 | uid = config.myEnv.users.pub.uid; | |
92 | isNormalUser = true; | |
93 | group = "nogroup"; | |
94 | useDefaultShell = true; | |
95 | packages = [ | |
96 | pkgs.tmux | |
97 | ]; | |
98 | }; | |
99 | }; | |
100 | } |