]>
Commit | Line | Data |
---|---|---|
5ccc61bb IB |
1 | #!/usr/bin/env bash |
2 | user="$1" | |
3 | rootuser="$HOME/$user/" | |
4 | mkdir -p $rootuser | |
5 | ||
6 | orig="$SSH_ORIGINAL_COMMAND" | |
7 | if [ -z "$orig" ]; then | |
8 | orig="/bin/bash -l" | |
9 | fi | |
10 | if [ "${orig:0:7}" = "command" ]; then | |
11 | orig="${orig:8}" | |
12 | fi | |
13 | ||
14 | case "$orig" in | |
15 | rsync*) | |
16 | rrsync $HOME/$user/ | |
17 | ;; | |
18 | *) | |
19 | nix_store_paths() { | |
20 | nix-store -q -R \ | |
21 | /run/current-system/sw \ | |
22 | /etc/profiles/per-user/pub \ | |
43e28479 | 23 | /etc/ssl/certs/ca-bundle.crt \ |
5ccc61bb | 24 | | while read i; do |
43e28479 | 25 | printf '%s--ro-bind\0'$i'\0'$i'\0' '' |
5ccc61bb | 26 | done |
1a64deeb IB |
27 | if [ -e "/run/current-system/pub/$user" ]; then |
28 | nix-store -q -R "/run/current-system/pub/$user" \ | |
29 | | while read i; do | |
30 | printf '%s--ro-bind\0'$i'\0'$i'\0' '' | |
31 | done | |
32 | printf '%s--ro-bind\0/run/current-system/pub/'$user'/bin\0/bin-pub-'$user'\0' '' | |
33 | fi | |
5ccc61bb IB |
34 | } |
35 | ||
36 | set -euo pipefail | |
37 | (exec -c bwrap --ro-bind /usr /usr \ | |
38 | --args 10 \ | |
39 | --dir /tmp \ | |
40 | --dir /var \ | |
41 | --symlink ../tmp var/tmp \ | |
42 | --proc /proc \ | |
43 | --dev /dev \ | |
44 | --ro-bind /etc/resolv.conf /etc/resolv.conf \ | |
1be1a523 | 45 | --ro-bind /etc/zoneinfo /etc/zoneinfo \ |
43e28479 IB |
46 | --ro-bind /etc/ssl /etc/ssl \ |
47 | --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \ | |
5ccc61bb IB |
48 | --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \ |
49 | --ro-bind /run/current-system/sw/bin /bin \ | |
50 | --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \ | |
51 | --bind /var/lib/pub/$user /var/lib/pub \ | |
7e5b0260 IB |
52 | --dir /var/lib/commons \ |
53 | --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \ | |
5ccc61bb IB |
54 | --chdir /var/lib/pub \ |
55 | --unshare-all \ | |
56 | --share-net \ | |
57 | --dir /run/user/$(id -u) \ | |
58 | --setenv TERM "$TERM" \ | |
59 | --setenv LOCALE_ARCHIVE "/etc/locale-archive" \ | |
60 | --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ | |
61 | --setenv PS1 "$user@pub $ " \ | |
1a64deeb | 62 | --setenv PATH "/bin-pub-$user:/bin:/bin-pub" \ |
5ccc61bb IB |
63 | --setenv HOME "/var/lib/pub" \ |
64 | --file 11 /etc/passwd \ | |
65 | --file 12 /etc/group \ | |
66 | -- $orig) \ | |
1a64deeb | 67 | 10< <(nix_store_paths | sort | uniq) \ |
5ccc61bb IB |
68 | 11< <(getent passwd $UID 65534) \ |
69 | 12< <(getent group $(id -g) 65534) | |
70 | ;; | |
71 | esac |