systems/eldiron/pub/default.nix

   1 { lib, pkgs, config,  ... }:
   2 let
   3   restrict = pkgs.runCommand "restrict" {
   4     file = ./restrict;
   5     buildInputs = [ pkgs.makeWrapper ];
   6   } ''
   7     mkdir -p $out/bin
   8     cp $file $out/bin/restrict
   9     chmod a+x $out/bin/restrict
  10     patchShebangs $out/bin/restrict
  11     wrapProgram $out/bin/restrict \
  12       --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
  13       --set TMUX_RESTRICT ${./tmux.restrict.conf}
  14   '';
  15 in
  16 {
  17   options = {
  18     myServices.pub.enable = lib.mkOption {
  19       type = lib.types.bool;
  20       default = false;
  21       description = ''
  22         Whether to enable pub user.
  23       '';
  24     };
  25     myServices.pub.usersProfiles = lib.mkOption {
  26       type = lib.types.attrsOf (lib.types.listOf lib.types.package);
  27       default = {};
  28       description = ''
  29         specific user profile
  30       '';
  31     };
  32     myServices.pub.restrictCommand = lib.mkOption {
  33       type = lib.types.path;
  34       readOnly = true;
  35       default = "${restrict}/bin/restrict";
  36       description = ''
  37         path to the restrict shell
  38       '';
  39     };
  40   };
  41
  42   config = lib.mkIf config.myServices.pub.enable {
  43     myServices.dns.zones."immae.eu".subdomains.pub =
  44       with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
  45
  46     myServices.chatonsProperties.services.vm-like = {
  47       file.datetime = "2022-08-22T01:00:00";
  48       service = {
  49         name = "Comptes shell";
  50         description = "Compte shell cloisonné";
  51         logo = "https://www.openssh.com/favicon.ico";
  52         website = "pub.immae.eu";
  53         status.level = "OK";
  54         status.description = "OK";
  55         registration."" = ["MEMBER" "CLIENT"];
  56         registration.load = "OPEN";
  57         install.type = "PACKAGE";
  58       };
  59       software = {
  60         name = "Openssh";
  61         website = "https://www.openssh.com/";
  62         license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE";
  63         license.name = "BSD Licence";
  64         version = pkgs.openssh.version;
  65         source.url = "https://github.com/openssh/openssh-portable";
  66       };
  67     };
  68     myServices.ssh.modules.pub = {
  69       snippet = builtins.readFile ./ldap_pub.sh;
  70       dependencies = [ pkgs.coreutils ];
  71       vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu";
  72       vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu";
  73       vars.echo_command = "${pkgs.coreutils}/bin/echo";
  74       vars.restrict_command = "${restrict}/bin/restrict";
  75     };
  76
  77     system.extraSystemBuilderCmds = let
  78       toPath = u: paths: pkgs.buildEnv {
  79         name = "${u}-profile";
  80         inherit paths;
  81       };
  82     in ''
  83       mkdir -p $out/pub
  84       ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)}
  85     '';
  86     users.users.pub = let
  87     in {
  88       createHome = true;
  89       description = "Restricted shell user";
  90       home = "/var/lib/pub";
  91       uid = config.myEnv.users.pub.uid;
  92       isNormalUser = true;
  93       group = "nogroup";
  94       useDefaultShell = true;
  95       packages = [
  96         pkgs.tmux
  97       ];
  98     };
  99   };
 100 }