#!/usr/bin/env bash user="$1" rootuser="$HOME/$user/" mkdir -p $rootuser orig="$SSH_ORIGINAL_COMMAND" if [ -z "$orig" ]; then orig="/bin/bash -l" fi if [ "${orig:0:7}" = "command" ]; then orig="${orig:8}" fi case "$orig" in rsync*) rrsync $HOME/$user/ ;; *) nix_store_paths() { nix-store -q -R \ /run/current-system/sw \ /etc/profiles/per-user/pub \ /etc/ssl/certs/ca-bundle.crt \ | while read i; do printf '%s--ro-bind\0'$i'\0'$i'\0' '' done } set -euo pipefail (exec -c bwrap --ro-bind /usr /usr \ --args 10 \ --dir /tmp \ --dir /var \ --symlink ../tmp var/tmp \ --proc /proc \ --dev /dev \ --ro-bind /etc/resolv.conf /etc/resolv.conf \ --ro-bind /etc/zoneinfo /etc/zoneinfo \ --ro-bind /etc/ssl /etc/ssl \ --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \ --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \ --ro-bind /run/current-system/sw/bin /bin \ --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \ --bind /var/lib/pub/$user /var/lib/pub \ --dir /var/lib/commons \ --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \ --chdir /var/lib/pub \ --unshare-all \ --share-net \ --dir /run/user/$(id -u) \ --setenv TERM "$TERM" \ --setenv LOCALE_ARCHIVE "/etc/locale-archive" \ --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ --setenv PS1 "$user@pub $ " \ --setenv PATH "/bin:/bin-pub" \ --setenv HOME "/var/lib/pub" \ --file 11 /etc/passwd \ --file 12 /etc/group \ -- $orig) \ 10< <(nix_store_paths) \ 11< <(getent passwd $UID 65534) \ 12< <(getent group $(id -g) 65534) ;; esac