diff options
Diffstat (limited to 'systems/eldiron/pub/default.nix')
-rw-r--r-- | systems/eldiron/pub/default.nix | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/systems/eldiron/pub/default.nix b/systems/eldiron/pub/default.nix new file mode 100644 index 0000000..ca8122a --- /dev/null +++ b/systems/eldiron/pub/default.nix | |||
@@ -0,0 +1,100 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | restrict = pkgs.runCommand "restrict" { | ||
4 | file = ./restrict; | ||
5 | buildInputs = [ pkgs.makeWrapper ]; | ||
6 | } '' | ||
7 | mkdir -p $out/bin | ||
8 | cp $file $out/bin/restrict | ||
9 | chmod a+x $out/bin/restrict | ||
10 | patchShebangs $out/bin/restrict | ||
11 | wrapProgram $out/bin/restrict \ | ||
12 | --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \ | ||
13 | --set TMUX_RESTRICT ${./tmux.restrict.conf} | ||
14 | ''; | ||
15 | in | ||
16 | { | ||
17 | options = { | ||
18 | myServices.pub.enable = lib.mkOption { | ||
19 | type = lib.types.bool; | ||
20 | default = false; | ||
21 | description = '' | ||
22 | Whether to enable pub user. | ||
23 | ''; | ||
24 | }; | ||
25 | myServices.pub.usersProfiles = lib.mkOption { | ||
26 | type = lib.types.attrsOf (lib.types.listOf lib.types.package); | ||
27 | default = {}; | ||
28 | description = '' | ||
29 | specific user profile | ||
30 | ''; | ||
31 | }; | ||
32 | myServices.pub.restrictCommand = lib.mkOption { | ||
33 | type = lib.types.path; | ||
34 | readOnly = true; | ||
35 | default = "${restrict}/bin/restrict"; | ||
36 | description = '' | ||
37 | path to the restrict shell | ||
38 | ''; | ||
39 | }; | ||
40 | }; | ||
41 | |||
42 | config = lib.mkIf config.myServices.pub.enable { | ||
43 | myServices.dns.zones."immae.eu".subdomains.pub = | ||
44 | with config.myServices.dns.helpers; ips servers.eldiron.ips.main; | ||
45 | |||
46 | myServices.chatonsProperties.services.vm-like = { | ||
47 | file.datetime = "2022-08-22T01:00:00"; | ||
48 | service = { | ||
49 | name = "Comptes shell"; | ||
50 | description = "Compte shell cloisonné"; | ||
51 | logo = "https://www.openssh.com/favicon.ico"; | ||
52 | website = "pub.immae.eu"; | ||
53 | status.level = "OK"; | ||
54 | status.description = "OK"; | ||
55 | registration."" = ["MEMBER" "CLIENT"]; | ||
56 | registration.load = "OPEN"; | ||
57 | install.type = "PACKAGE"; | ||
58 | }; | ||
59 | software = { | ||
60 | name = "Openssh"; | ||
61 | website = "https://www.openssh.com/"; | ||
62 | license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE"; | ||
63 | license.name = "BSD Licence"; | ||
64 | version = pkgs.openssh.version; | ||
65 | source.url = "https://github.com/openssh/openssh-portable"; | ||
66 | }; | ||
67 | }; | ||
68 | myServices.ssh.modules.pub = { | ||
69 | snippet = builtins.readFile ./ldap_pub.sh; | ||
70 | dependencies = [ pkgs.coreutils ]; | ||
71 | vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu"; | ||
72 | vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"; | ||
73 | vars.echo_command = "${pkgs.coreutils}/bin/echo"; | ||
74 | vars.restrict_command = "${restrict}/bin/restrict"; | ||
75 | }; | ||
76 | |||
77 | system.extraSystemBuilderCmds = let | ||
78 | toPath = u: paths: pkgs.buildEnv { | ||
79 | name = "${u}-profile"; | ||
80 | inherit paths; | ||
81 | }; | ||
82 | in '' | ||
83 | mkdir -p $out/pub | ||
84 | ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)} | ||
85 | ''; | ||
86 | users.users.pub = let | ||
87 | in { | ||
88 | createHome = true; | ||
89 | description = "Restricted shell user"; | ||
90 | home = "/var/lib/pub"; | ||
91 | uid = config.myEnv.users.pub.uid; | ||
92 | isNormalUser = true; | ||
93 | group = "nogroup"; | ||
94 | useDefaultShell = true; | ||
95 | packages = [ | ||
96 | pkgs.tmux | ||
97 | ]; | ||
98 | }; | ||
99 | }; | ||
100 | } | ||