Bind /nix to user-specific path

1 files changed, 6 insertions, 1 deletions

diff --git a/nixops/modules/pub/restrict b/nixops/modules/pub/restrict
index 6d80590..4a3e215 100644
--- a/nixops/modules/pub/restrict
+++ b/nixops/modules/pub/restrict
@@ -2,6 +2,7 @@
 user="$1"
 rootuser="$HOME/$user/"
 mkdir -p $rootuser
+mkdir -p $HOME/$user-nixstore
 
 orig="$SSH_ORIGINAL_COMMAND"
 if [ -z "$orig" ]; then
@@ -20,13 +21,15 @@ rsync*)
           nix-store -q -R \
                /run/current-system/sw \
                /etc/profiles/per-user/pub \
+               /etc/ssl/certs/ca-bundle.crt \
                | while read i; do
-            printf '%s--bind\0'$i'\0'$i'\0' ''
+            printf '%s--ro-bind\0'$i'\0'$i'\0' ''
           done
         }
 
         set -euo pipefail
         (exec -c bwrap --ro-bind /usr /usr \
+              --bind /var/lib/pub/$user-nixstore /nix \
               --args 10 \
               --dir /tmp \
               --dir /var \
@@ -35,6 +38,8 @@ rsync*)
               --dev /dev \
               --ro-bind /etc/resolv.conf /etc/resolv.conf \
               --ro-bind /etc/zoneinfo /etc/zoneinfo \
+              --ro-bind /etc/ssl /etc/ssl \
+              --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
               --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
               --ro-bind /run/current-system/sw/bin /bin \
               --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \