Add "pub" user

diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 5dff7d4674203b58c7af6f5be83e8aea93b23f77..5f0b5d5533ed3718218ff62bec9408c3ba1fd492 100644 (file)
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -30,6 +30,7 @@
       ./modules/websites
       ./modules/mail
       ./modules/ftp
+      ./modules/pub
     ];
     services.myGitolite.enable = true;
     services.myDatabases.enable = true;
@@ -37,6 +38,7 @@
     services.myWebsites.integration.enable = true;
     services.myWebsites.tools.enable = true;
     services.pure-ftpd.enable = true;
+    services.pub.enable = true;
 
     services.journald.extraConfig = ''
       MaxLevelStore="warning"

diff --git a/nixops/ldap_authorized_keys.sh b/nixops/ldap_authorized_keys.sh
index ceaddbe48474e8cb65b934781382872c5d8c290b..d869d74a063b9dcb076ef0af8e53a04eea0d5234 100755 (executable)
--- a/nixops/ldap_authorized_keys.sh
+++ b/nixops/ldap_authorized_keys.sh
@@ -92,7 +92,7 @@ ldap_keys() {
             key_forward=$(clean_key_line forward "$line")
             if [ ! -z "$key" ]; then
               if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
-                echo -n 'command="$HOME/bin/restrict '$user'" '
+                echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
                 echo $key
               fi
             elif [ ! -z "$key_forward" ]; then

diff --git a/nixops/modules/pub/default.nix b/nixops/modules/pub/default.nix
new file mode 100644 (file)
index 0000000..59263ad
--- /dev/null
+++ b/nixops/modules/pub/default.nix
@@ -0,0 +1,44 @@
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+{
+  options = {
+    services.pub.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable pub user.
+      '';
+    };
+  };
+
+  config = lib.mkIf config.services.pub.enable {
+    users.users.pub = let
+      restrict = pkgs.runCommand "restrict" { 
+        file = ./restrict;
+        buildInputs = [ pkgs.makeWrapper ];
+      } ''
+        mkdir -p $out/bin
+        cp $file $out/bin/restrict
+        chmod a+x $out/bin/restrict
+        patchShebangs $out/bin/restrict
+        wrapProgram $out/bin/restrict \
+          --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
+          --set TMUX_RESTRICT ${./tmux.restrict.conf}
+      '';
+    in {
+      createHome = true;
+      description = "Restricted shell user";
+      home = "/var/lib/pub";
+      uid = myconfig.env.users.pub.uid;
+      useDefaultShell = true;
+      packages = [
+        restrict
+        pkgs.tmux
+        (pkgs.pidgin.override { plugins = [
+          pkgs.purple-plugin-pack pkgs.purple-hangouts
+          pkgs.purple-discord pkgs.purple-facebook
+          pkgs.telegram-purple
+        ]; })
+        ];
+    };
+  };
+}

diff --git a/nixops/modules/pub/restrict b/nixops/modules/pub/restrict
new file mode 100644 (file)
index 0000000..a16d7a5
--- /dev/null
+++ b/nixops/modules/pub/restrict
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+user="$1"
+rootuser="$HOME/$user/"
+mkdir -p $rootuser
+
+orig="$SSH_ORIGINAL_COMMAND"
+if [ -z "$orig" ]; then
+  orig="/bin/bash -l"
+fi
+if [ "${orig:0:7}" = "command" ]; then
+  orig="${orig:8}"
+fi
+
+case "$orig" in
+rsync*)
+        rrsync $HOME/$user/
+        ;;
+*)
+        nix_store_paths() {
+          nix-store -q -R \
+               /run/current-system/sw \
+               /etc/profiles/per-user/pub \
+               | while read i; do
+            printf '%s--bind\0'$i'\0'$i'\0' ''
+          done
+        }
+
+        set -euo pipefail
+        (exec -c bwrap --ro-bind /usr /usr \
+              --args 10 \
+              --dir /tmp \
+              --dir /var \
+              --symlink ../tmp var/tmp \
+              --proc /proc \
+              --dev /dev \
+              --ro-bind /etc/resolv.conf /etc/resolv.conf \
+              --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
+              --ro-bind /run/current-system/sw/bin /bin \
+              --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
+              --bind /var/lib/pub/$user /var/lib/pub \
+              --ro-bind $TMUX_RESTRICT /var/lib/pub/.tmux.restrict.conf \
+              --chdir /var/lib/pub \
+              --unshare-all \
+              --share-net \
+              --dir /run/user/$(id -u) \
+              --setenv TERM "$TERM" \
+              --setenv LOCALE_ARCHIVE "/etc/locale-archive" \
+              --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
+              --setenv PS1 "$user@pub $ " \
+              --setenv PATH "/bin:/bin-pub" \
+              --setenv HOME "/var/lib/pub" \
+              --file 11 /etc/passwd \
+              --file 12 /etc/group \
+              -- $orig) \
+              10< <(nix_store_paths) \
+              11< <(getent passwd $UID 65534) \
+              12< <(getent group $(id -g) 65534)
+        ;;
+esac

diff --git a/nixops/modules/pub/tmux.restrict.conf b/nixops/modules/pub/tmux.restrict.conf
new file mode 100644 (file)
index 0000000..5aefd1c
--- /dev/null
+++ b/nixops/modules/pub/tmux.restrict.conf
@@ -0,0 +1,43 @@
+# Pour les nostalgiques de screen
+# comme les raccourcis ne sont pas les mêmes, j'évite
+set -g prefix C-a
+unbind-key C-b
+
+unbind-key -a
+bind-key -n C-h list-keys
+bind-key    C-d detach
+bind-key      & confirm-before -p "kill-window #W? (y/n)" kill-window
+
+# même hack que sur screen lorsqu'on veut profiter du scroll du terminal
+# (xterm ...)
+set -g terminal-overrides 'xterm*:smcup@:rmcup@'
+
+#Pour les ctrl+arrow
+set-option -g xterm-keys on
+
+# c'est un minimum (defaut 2000)
+set-option -g history-limit 10000
+
+# lorsque j'ai encore un tmux ailleurs seule
+# sa fenetre active réduit la taille de ma fenetre locale
+setw -g aggressive-resize on
+
+# Pour etre alerté sur un changement dans une autre fenêtre
+setw -g monitor-activity on
+#set -g visual-activity on
+#set -g visual-bell on
+
+set -g base-index 1
+
+# repercuter le contenu de la fenetre dans la barre de titre
+# reference des string : man tmux (status-left)
+set -g set-titles on
+set -g set-titles-string '#H #W #T' # host window command
+
+#Dans les valeurs par defaut deja, avec le ssh-agent
+set -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY PATH"
+
+set -g status off
+set -g status-left ''
+set -g status-right ''
+

diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix
index 360d52c5ae97396d68fe95c8975ed35ce6e44e07..dc3dde2eae9309b4431bc77a8dc364f68795e24a 100644 (file)
--- a/nixops/modules/websites/tools/cloud/default.nix
+++ b/nixops/modules/websites/tools/cloud/default.nix
@@ -24,7 +24,7 @@ in {
       ];
     };
 
-    environment.systemPackages = let
+    users.users.root.packages = let
       occ = pkgs.writeScriptBin "nextcloud-occ" ''
         #! ${pkgs.stdenv.shell}
         cd ${nextcloud.webRoot}