aboutsummaryrefslogtreecommitdiff
path: root/nixops/modules
diff options
context:
space:
mode:
Diffstat (limited to 'nixops/modules')
-rw-r--r--nixops/modules/pub/restrict7
1 files changed, 6 insertions, 1 deletions
diff --git a/nixops/modules/pub/restrict b/nixops/modules/pub/restrict
index 6d80590..4a3e215 100644
--- a/nixops/modules/pub/restrict
+++ b/nixops/modules/pub/restrict
@@ -2,6 +2,7 @@
2user="$1" 2user="$1"
3rootuser="$HOME/$user/" 3rootuser="$HOME/$user/"
4mkdir -p $rootuser 4mkdir -p $rootuser
5mkdir -p $HOME/$user-nixstore
5 6
6orig="$SSH_ORIGINAL_COMMAND" 7orig="$SSH_ORIGINAL_COMMAND"
7if [ -z "$orig" ]; then 8if [ -z "$orig" ]; then
@@ -20,13 +21,15 @@ rsync*)
20 nix-store -q -R \ 21 nix-store -q -R \
21 /run/current-system/sw \ 22 /run/current-system/sw \
22 /etc/profiles/per-user/pub \ 23 /etc/profiles/per-user/pub \
24 /etc/ssl/certs/ca-bundle.crt \
23 | while read i; do 25 | while read i; do
24 printf '%s--bind\0'$i'\0'$i'\0' '' 26 printf '%s--ro-bind\0'$i'\0'$i'\0' ''
25 done 27 done
26 } 28 }
27 29
28 set -euo pipefail 30 set -euo pipefail
29 (exec -c bwrap --ro-bind /usr /usr \ 31 (exec -c bwrap --ro-bind /usr /usr \
32 --bind /var/lib/pub/$user-nixstore /nix \
30 --args 10 \ 33 --args 10 \
31 --dir /tmp \ 34 --dir /tmp \
32 --dir /var \ 35 --dir /var \
@@ -35,6 +38,8 @@ rsync*)
35 --dev /dev \ 38 --dev /dev \
36 --ro-bind /etc/resolv.conf /etc/resolv.conf \ 39 --ro-bind /etc/resolv.conf /etc/resolv.conf \
37 --ro-bind /etc/zoneinfo /etc/zoneinfo \ 40 --ro-bind /etc/zoneinfo /etc/zoneinfo \
41 --ro-bind /etc/ssl /etc/ssl \
42 --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
38 --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \ 43 --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
39 --ro-bind /run/current-system/sw/bin /bin \ 44 --ro-bind /run/current-system/sw/bin /bin \
40 --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \ 45 --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \