6 files changed, 150 insertions, 2 deletions
diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 5dff7d4..5f0b5d5 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -30,6 +30,7 @@
      ./modules/websites
      ./modules/mail
      ./modules/ftp
+      ./modules/pub
    ];
    services.myGitolite.enable = true;
    services.myDatabases.enable = true;
@@ -37,6 +38,7 @@
    services.myWebsites.integration.enable = true;
    services.myWebsites.tools.enable = true;
    services.pure-ftpd.enable = true;
+    services.pub.enable = true;
    services.journald.extraConfig = ''
      MaxLevelStore="warning"
diff --git a/nixops/ldap_authorized_keys.sh b/nixops/ldap_authorized_keys.sh
index ceaddbe..d869d74 100755
--- a/nixops/ldap_authorized_keys.sh
+++ b/nixops/ldap_authorized_keys.sh
@@ -92,7 +92,7 @@ ldap_keys() {
            key_forward=$(clean_key_line forward "$line")
            if [ ! -z "$key" ]; then
              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
-                echo -n 'command="$HOME/bin/restrict '$user'" '
+                echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
                echo $key
              fi
            elif [ ! -z "$key_forward" ]; then
diff --git a/nixops/modules/pub/default.nix b/nixops/modules/pub/default.nix
new file mode 100644
index 0000000..59263ad
--- /dev/null
+++ b/nixops/modules/pub/default.nix
@@ -0,0 +1,44 @@
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+{
+  options = {
+    services.pub.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable pub user.
+      '';
+    };
+  };
+  config = lib.mkIf config.services.pub.enable {
+    users.users.pub = let
+      restrict = pkgs.runCommand "restrict" { 
+        file = ./restrict;
+        buildInputs = [ pkgs.makeWrapper ];
+      } ''
+        mkdir -p $out/bin
+        cp $file $out/bin/restrict
+        chmod a+x $out/bin/restrict
+        patchShebangs $out/bin/restrict
+        wrapProgram $out/bin/restrict \
+          --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
+          --set TMUX_RESTRICT ${./tmux.restrict.conf}
+      '';
+    in {
+      createHome = true;
+      description = "Restricted shell user";
+      home = "/var/lib/pub";
+      uid = myconfig.env.users.pub.uid;
+      useDefaultShell = true;
+      packages = [
+        restrict
+        pkgs.tmux
+        (pkgs.pidgin.override { plugins = [
+          pkgs.purple-plugin-pack pkgs.purple-hangouts
+          pkgs.purple-discord pkgs.purple-facebook
+          pkgs.telegram-purple
+        ]; })
+        ];
+    };
+  };
+}
diff --git a/nixops/modules/pub/restrict b/nixops/modules/pub/restrict
new file mode 100644
index 0000000..a16d7a5
--- /dev/null
+++ b/nixops/modules/pub/restrict
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+user="$1"
+rootuser="$HOME/$user/"
+mkdir -p $rootuser
+orig="$SSH_ORIGINAL_COMMAND"
+if [ -z "$orig" ]; then
+  orig="/bin/bash -l"
+fi
+if [ "${orig:0:7}" = "command" ]; then
+  orig="${orig:8}"
+fi
+case "$orig" in
+rsync*)
+        rrsync $HOME/$user/
+        ;;
+*)
+        nix_store_paths() {
+          nix-store -q -R \
+               /run/current-system/sw \
+               /etc/profiles/per-user/pub \
+               | while read i; do
+            printf '%s--bind\0'$i'\0'$i'\0' ''
+          done
+        }
+        set -euo pipefail
+        (exec -c bwrap --ro-bind /usr /usr \
+              --args 10 \
+              --dir /tmp \
+              --dir /var \
+              --symlink ../tmp var/tmp \
+              --proc /proc \
+              --dev /dev \
+              --ro-bind /etc/resolv.conf /etc/resolv.conf \
+              --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
+              --ro-bind /run/current-system/sw/bin /bin \
+              --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
+              --bind /var/lib/pub/$user /var/lib/pub \
+              --ro-bind $TMUX_RESTRICT /var/lib/pub/.tmux.restrict.conf \
+              --chdir /var/lib/pub \
+              --unshare-all \
+              --share-net \
+              --dir /run/user/$(id -u) \
+              --setenv TERM "$TERM" \
+              --setenv LOCALE_ARCHIVE "/etc/locale-archive" \
+              --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
+              --setenv PS1 "$user@pub $ " \
+              --setenv PATH "/bin:/bin-pub" \
+              --setenv HOME "/var/lib/pub" \
+              --file 11 /etc/passwd \
+              --file 12 /etc/group \
+              -- $orig) \
+              10< <(nix_store_paths) \
+              11< <(getent passwd $UID 65534) \
+              12< <(getent group $(id -g) 65534)
+        ;;
+esac
diff --git a/nixops/modules/pub/tmux.restrict.conf b/nixops/modules/pub/tmux.restrict.conf
new file mode 100644
index 0000000..5aefd1c
--- /dev/null
+++ b/nixops/modules/pub/tmux.restrict.conf
@@ -0,0 +1,43 @@
+# Pour les nostalgiques de screen
+# comme les raccourcis ne sont pas les mêmes, j'évite
+set -g prefix C-a
+unbind-key C-b
+unbind-key -a
+bind-key -n C-h list-keys
+bind-key    C-d detach
+bind-key      & confirm-before -p "kill-window #W? (y/n)" kill-window
+# même hack que sur screen lorsqu'on veut profiter du scroll du terminal
+# (xterm ...)
+set -g terminal-overrides 'xterm*:smcup@:rmcup@'
+#Pour les ctrl+arrow
+set-option -g xterm-keys on
+# c'est un minimum (defaut 2000)
+set-option -g history-limit 10000
+# lorsque j'ai encore un tmux ailleurs seule
+# sa fenetre active réduit la taille de ma fenetre locale
+setw -g aggressive-resize on
+# Pour etre alerté sur un changement dans une autre fenêtre
+setw -g monitor-activity on
+#set -g visual-activity on
+#set -g visual-bell on
+set -g base-index 1
+# repercuter le contenu de la fenetre dans la barre de titre
+# reference des string : man tmux (status-left)
+set -g set-titles on
+set -g set-titles-string '#H #W #T' # host window command
+#Dans les valeurs par defaut deja, avec le ssh-agent
+set -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY PATH"
+set -g status off
+set -g status-left ''
+set -g status-right ''
diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix
index 360d52c..dc3dde2 100644
--- a/nixops/modules/websites/tools/cloud/default.nix
+++ b/nixops/modules/websites/tools/cloud/default.nix
@@ -24,7 +24,7 @@ in {
      ];
    };
-    environment.systemPackages = let
+    users.users.root.packages = let
      occ = pkgs.writeScriptBin "nextcloud-occ" ''
        #! ${pkgs.stdenv.shell}
        cd ${nextcloud.webRoot}

diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix index 5dff7d4..5f0b5d5 100644 --- a/nixops/eldiron.nix +++ b/nixops/eldiron.nix
@@ -30,6 +30,7 @@
30	./modules/websites	30	./modules/websites
31	./modules/mail	31	./modules/mail
32	./modules/ftp	32	./modules/ftp
		33	./modules/pub
33	];	34	];
34	services.myGitolite.enable = true;	35	services.myGitolite.enable = true;
35	services.myDatabases.enable = true;	36	services.myDatabases.enable = true;
@@ -37,6 +38,7 @@
37	services.myWebsites.integration.enable = true;	38	services.myWebsites.integration.enable = true;
38	services.myWebsites.tools.enable = true;	39	services.myWebsites.tools.enable = true;
39	services.pure-ftpd.enable = true;	40	services.pure-ftpd.enable = true;
		41	services.pub.enable = true;
40		42
41	services.journald.extraConfig = ''	43	services.journald.extraConfig = ''
42	MaxLevelStore="warning"	44	MaxLevelStore="warning"


diff --git a/nixops/ldap_authorized_keys.sh b/nixops/ldap_authorized_keys.sh index ceaddbe..d869d74 100755 --- a/nixops/ldap_authorized_keys.sh +++ b/nixops/ldap_authorized_keys.sh
@@ -92,7 +92,7 @@ ldap_keys() {
92	key_forward=$(clean_key_line forward "$line")	92	key_forward=$(clean_key_line forward "$line")
93	if [ ! -z "$key" ]; then	93	if [ ! -z "$key" ]; then
94	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then	94	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
95	echo -n 'command="$HOME/bin/restrict '$user'" '	95	echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
96	echo $key	96	echo $key
97	fi	97	fi
98	elif [ ! -z "$key_forward" ]; then	98	elif [ ! -z "$key_forward" ]; then


diff --git a/nixops/modules/pub/default.nix b/nixops/modules/pub/default.nix new file mode 100644 index 0000000..59263ad --- /dev/null +++ b/nixops/modules/pub/default.nix
@@ -0,0 +1,44 @@
		1	{ lib, pkgs, config, myconfig, mylibs, ... }:
		2	{
		3	options = {
		4	services.pub.enable = lib.mkOption {
		5	type = lib.types.bool;
		6	default = false;
		7	description = ''
		8	Whether to enable pub user.
		9	'';
		10	};
		11	};
		12
		13	config = lib.mkIf config.services.pub.enable {
		14	users.users.pub = let
		15	restrict = pkgs.runCommand "restrict" {
		16	file = ./restrict;
		17	buildInputs = [ pkgs.makeWrapper ];
		18	} ''
		19	mkdir -p $out/bin
		20	cp $file $out/bin/restrict
		21	chmod a+x $out/bin/restrict
		22	patchShebangs $out/bin/restrict
		23	wrapProgram $out/bin/restrict \
		24	--prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
		25	--set TMUX_RESTRICT ${./tmux.restrict.conf}
		26	'';
		27	in {
		28	createHome = true;
		29	description = "Restricted shell user";
		30	home = "/var/lib/pub";
		31	uid = myconfig.env.users.pub.uid;
		32	useDefaultShell = true;
		33	packages = [
		34	restrict
		35	pkgs.tmux
		36	(pkgs.pidgin.override { plugins = [
		37	pkgs.purple-plugin-pack pkgs.purple-hangouts
		38	pkgs.purple-discord pkgs.purple-facebook
		39	pkgs.telegram-purple
		40	]; })
		41	];
		42	};
		43	};
		44	}


diff --git a/nixops/modules/pub/restrict b/nixops/modules/pub/restrict new file mode 100644 index 0000000..a16d7a5 --- /dev/null +++ b/nixops/modules/pub/restrict
@@ -0,0 +1,59 @@
		1	#!/usr/bin/env bash
		2	user="$1"
		3	rootuser="$HOME/$user/"
		4	mkdir -p $rootuser
		5
		6	orig="$SSH_ORIGINAL_COMMAND"
		7	if [ -z "$orig" ]; then
		8	orig="/bin/bash -l"
		9	fi
		10	if [ "${orig:0:7}" = "command" ]; then
		11	orig="${orig:8}"
		12	fi
		13
		14	case "$orig" in
		15	rsync*)
		16	rrsync $HOME/$user/
		17	;;
		18	*)
		19	nix_store_paths() {
		20	nix-store -q -R \
		21	/run/current-system/sw \
		22	/etc/profiles/per-user/pub \
		23	\| while read i; do
		24	printf '%s--bind\0'$i'\0'$i'\0' ''
		25	done
		26	}
		27
		28	set -euo pipefail
		29	(exec -c bwrap --ro-bind /usr /usr \
		30	--args 10 \
		31	--dir /tmp \
		32	--dir /var \
		33	--symlink ../tmp var/tmp \
		34	--proc /proc \
		35	--dev /dev \
		36	--ro-bind /etc/resolv.conf /etc/resolv.conf \
		37	--ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
		38	--ro-bind /run/current-system/sw/bin /bin \
		39	--ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
		40	--bind /var/lib/pub/$user /var/lib/pub \
		41	--ro-bind $TMUX_RESTRICT /var/lib/pub/.tmux.restrict.conf \
		42	--chdir /var/lib/pub \
		43	--unshare-all \
		44	--share-net \
		45	--dir /run/user/$(id -u) \
		46	--setenv TERM "$TERM" \
		47	--setenv LOCALE_ARCHIVE "/etc/locale-archive" \
		48	--setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
		49	--setenv PS1 "$user@pub $ " \
		50	--setenv PATH "/bin:/bin-pub" \
		51	--setenv HOME "/var/lib/pub" \
		52	--file 11 /etc/passwd \
		53	--file 12 /etc/group \
		54	-- $orig) \
		55	10< <(nix_store_paths) \
		56	11< <(getent passwd $UID 65534) \
		57	12< <(getent group $(id -g) 65534)
		58	;;
		59	esac


diff --git a/nixops/modules/pub/tmux.restrict.conf b/nixops/modules/pub/tmux.restrict.conf new file mode 100644 index 0000000..5aefd1c --- /dev/null +++ b/nixops/modules/pub/tmux.restrict.conf
@@ -0,0 +1,43 @@
		1	# Pour les nostalgiques de screen
		2	# comme les raccourcis ne sont pas les mêmes, j'évite
		3	set -g prefix C-a
		4	unbind-key C-b
		5
		6	unbind-key -a
		7	bind-key -n C-h list-keys
		8	bind-key C-d detach
		9	bind-key & confirm-before -p "kill-window #W? (y/n)" kill-window
		10
		11	# même hack que sur screen lorsqu'on veut profiter du scroll du terminal
		12	# (xterm ...)
		13	set -g terminal-overrides 'xterm*:smcup@:rmcup@'
		14
		15	#Pour les ctrl+arrow
		16	set-option -g xterm-keys on
		17
		18	# c'est un minimum (defaut 2000)
		19	set-option -g history-limit 10000
		20
		21	# lorsque j'ai encore un tmux ailleurs seule
		22	# sa fenetre active réduit la taille de ma fenetre locale
		23	setw -g aggressive-resize on
		24
		25	# Pour etre alerté sur un changement dans une autre fenêtre
		26	setw -g monitor-activity on
		27	#set -g visual-activity on
		28	#set -g visual-bell on
		29
		30	set -g base-index 1
		31
		32	# repercuter le contenu de la fenetre dans la barre de titre
		33	# reference des string : man tmux (status-left)
		34	set -g set-titles on
		35	set -g set-titles-string '#H #W #T' # host window command
		36
		37	#Dans les valeurs par defaut deja, avec le ssh-agent
		38	set -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY PATH"
		39
		40	set -g status off
		41	set -g status-left ''
		42	set -g status-right ''
		43


diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix index 360d52c..dc3dde2 100644 --- a/nixops/modules/websites/tools/cloud/default.nix +++ b/nixops/modules/websites/tools/cloud/default.nix
@@ -24,7 +24,7 @@ in {
24	];	24	];
25	};	25	};
26		26
27	environment.systemPackages = let	27	users.users.root.packages = let
28	occ = pkgs.writeScriptBin "nextcloud-occ" ''	28	occ = pkgs.writeScriptBin "nextcloud-occ" ''
29	#! ${pkgs.stdenv.shell}	29	#! ${pkgs.stdenv.shell}
30	cd ${nextcloud.webRoot}	30	cd ${nextcloud.webRoot}