diff options
Diffstat (limited to 'nixops/modules/pub/restrict')
-rw-r--r-- | nixops/modules/pub/restrict | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/nixops/modules/pub/restrict b/nixops/modules/pub/restrict index 6d80590..4a3e215 100644 --- a/nixops/modules/pub/restrict +++ b/nixops/modules/pub/restrict | |||
@@ -2,6 +2,7 @@ | |||
2 | user="$1" | 2 | user="$1" |
3 | rootuser="$HOME/$user/" | 3 | rootuser="$HOME/$user/" |
4 | mkdir -p $rootuser | 4 | mkdir -p $rootuser |
5 | mkdir -p $HOME/$user-nixstore | ||
5 | 6 | ||
6 | orig="$SSH_ORIGINAL_COMMAND" | 7 | orig="$SSH_ORIGINAL_COMMAND" |
7 | if [ -z "$orig" ]; then | 8 | if [ -z "$orig" ]; then |
@@ -20,13 +21,15 @@ rsync*) | |||
20 | nix-store -q -R \ | 21 | nix-store -q -R \ |
21 | /run/current-system/sw \ | 22 | /run/current-system/sw \ |
22 | /etc/profiles/per-user/pub \ | 23 | /etc/profiles/per-user/pub \ |
24 | /etc/ssl/certs/ca-bundle.crt \ | ||
23 | | while read i; do | 25 | | while read i; do |
24 | printf '%s--bind\0'$i'\0'$i'\0' '' | 26 | printf '%s--ro-bind\0'$i'\0'$i'\0' '' |
25 | done | 27 | done |
26 | } | 28 | } |
27 | 29 | ||
28 | set -euo pipefail | 30 | set -euo pipefail |
29 | (exec -c bwrap --ro-bind /usr /usr \ | 31 | (exec -c bwrap --ro-bind /usr /usr \ |
32 | --bind /var/lib/pub/$user-nixstore /nix \ | ||
30 | --args 10 \ | 33 | --args 10 \ |
31 | --dir /tmp \ | 34 | --dir /tmp \ |
32 | --dir /var \ | 35 | --dir /var \ |
@@ -35,6 +38,8 @@ rsync*) | |||
35 | --dev /dev \ | 38 | --dev /dev \ |
36 | --ro-bind /etc/resolv.conf /etc/resolv.conf \ | 39 | --ro-bind /etc/resolv.conf /etc/resolv.conf \ |
37 | --ro-bind /etc/zoneinfo /etc/zoneinfo \ | 40 | --ro-bind /etc/zoneinfo /etc/zoneinfo \ |
41 | --ro-bind /etc/ssl /etc/ssl \ | ||
42 | --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \ | ||
38 | --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \ | 43 | --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \ |
39 | --ro-bind /run/current-system/sw/bin /bin \ | 44 | --ro-bind /run/current-system/sw/bin /bin \ |
40 | --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \ | 45 | --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \ |