1 { lib, pkgs, config, ... }:
3 restrict = pkgs.runCommand "restrict" {
5 buildInputs = [ pkgs.makeWrapper ];
8 cp $file $out/bin/restrict
9 chmod a+x $out/bin/restrict
10 patchShebangs $out/bin/restrict
11 wrapProgram $out/bin/restrict \
12 --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
13 --set TMUX_RESTRICT ${./tmux.restrict.conf}
18 myServices.pub.enable = lib.mkOption {
19 type = lib.types.bool;
22 Whether to enable pub user.
25 myServices.pub.usersProfiles = lib.mkOption {
26 type = lib.types.attrsOf (lib.types.listOf lib.types.package);
32 myServices.pub.restrictCommand = lib.mkOption {
33 type = lib.types.path;
35 default = "${restrict}/bin/restrict";
37 path to the restrict shell
42 config = lib.mkIf config.myServices.pub.enable {
43 myServices.dns.zones."immae.eu".subdomains.pub =
44 with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
46 myServices.chatonsProperties.services.vm-like = {
47 file.datetime = "2022-08-22T01:00:00";
49 name = "Comptes shell";
50 description = "Compte shell cloisonné";
51 logo = "https://www.openssh.com/favicon.ico";
52 website = "pub.immae.eu";
54 status.description = "OK";
55 registration."" = ["MEMBER" "CLIENT"];
56 registration.load = "OPEN";
57 install.type = "PACKAGE";
61 website = "https://www.openssh.com/";
62 license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE";
63 license.name = "BSD Licence";
64 version = pkgs.openssh.version;
65 source.url = "https://github.com/openssh/openssh-portable";
68 myServices.ssh.modules.pub = {
69 snippet = builtins.readFile ./ldap_pub.sh;
70 dependencies = [ pkgs.coreutils ];
71 vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu";
72 vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu";
73 vars.echo_command = "${pkgs.coreutils}/bin/echo";
74 vars.restrict_command = "${restrict}/bin/restrict";
77 system.extraSystemBuilderCmds = let
78 toPath = u: paths: pkgs.buildEnv {
79 name = "${u}-profile";
84 ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)}
89 description = "Restricted shell user";
90 home = "/var/lib/pub";
91 uid = config.myEnv.users.pub.uid;
94 useDefaultShell = true;