]>
git.immae.eu Git - perso/Immae/Config/Nix.git/blob - systems/eldiron/pub/restrict
3 rootuser
="$HOME/$user/"
6 orig
="$SSH_ORIGINAL_COMMAND"
7 if [ -z "$orig" ]; then
10 if [ "${orig:0:7}" = "command" ]; then
21 /run
/current
-system/sw \
22 /etc
/profiles
/per
-user/pub \
23 /etc
/ssl
/certs
/ca
-bundle.crt \
25 printf '%s--ro-bind\0'$i'\0'$i'\0' ''
27 if [ -e "/run/current-system/pub/$user" ]; then
28 nix
-store -q -R "/run/current-system/pub/$user" \
30 printf '%s--ro-bind\0'$i'\0'$i'\0' ''
32 printf '%s--ro-bind\0/run/current-system/pub/'$user'/bin\0/bin-pub-'$user'\0' ''
37 (exec -c bwrap
--ro-bind /usr
/usr \
41 --symlink ..
/tmp var
/tmp \
44 --ro-bind /etc
/resolv.conf
/etc
/resolv.conf \
45 --ro-bind /etc
/zoneinfo
/etc
/zoneinfo \
46 --ro-bind /etc
/ssl
/etc
/ssl \
47 --ro-bind /etc
/static
/ssl
/certs
/etc
/static
/ssl
/certs \
48 --ro-bind /run
/current
-system/sw
/lib
/locale
/locale
-archive /etc
/locale
-archive \
49 --ro-bind /run
/current
-system/sw
/bin
/bin \
50 --ro-bind /etc
/profiles
/per
-user/pub
/bin
/bin
-pub \
51 --bind /var
/lib
/pub
/$user /var
/lib
/pub \
52 --dir /var
/lib
/commons \
53 --ro-bind $TMUX_RESTRICT /var
/lib
/commons
/tmux.restrict.conf \
54 --chdir /var
/lib
/pub \
57 --dir /run
/user
/$(id -u) \
58 --setenv TERM
"$TERM" \
59 --setenv LOCALE_ARCHIVE
"/etc/locale-archive" \
60 --setenv XDG_RUNTIME_DIR
"/run/user/`id -u`" \
61 --setenv PS1
"$user@pub $ " \
62 --setenv PATH
"/bin-pub-$user:/bin:/bin-pub" \
63 --setenv HOME
"/var/lib/pub" \
64 --file 11 /etc
/passwd \
65 --file 12 /etc
/group \
67 10< <(nix_store_paths
| sort | uniq) \
68 11< <(getent passwd
$UID 65534) \
69 12< <(getent group
$(id -g) 65534)