diff options
Diffstat (limited to 'systems/eldiron/pub')
-rw-r--r-- | systems/eldiron/pub/default.nix | 100 | ||||
-rw-r--r-- | systems/eldiron/pub/ldap_pub.sh | 38 | ||||
-rw-r--r-- | systems/eldiron/pub/restrict | 71 | ||||
-rw-r--r-- | systems/eldiron/pub/tmux.restrict.conf | 43 |
4 files changed, 252 insertions, 0 deletions
diff --git a/systems/eldiron/pub/default.nix b/systems/eldiron/pub/default.nix new file mode 100644 index 0000000..ca8122a --- /dev/null +++ b/systems/eldiron/pub/default.nix | |||
@@ -0,0 +1,100 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | restrict = pkgs.runCommand "restrict" { | ||
4 | file = ./restrict; | ||
5 | buildInputs = [ pkgs.makeWrapper ]; | ||
6 | } '' | ||
7 | mkdir -p $out/bin | ||
8 | cp $file $out/bin/restrict | ||
9 | chmod a+x $out/bin/restrict | ||
10 | patchShebangs $out/bin/restrict | ||
11 | wrapProgram $out/bin/restrict \ | ||
12 | --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \ | ||
13 | --set TMUX_RESTRICT ${./tmux.restrict.conf} | ||
14 | ''; | ||
15 | in | ||
16 | { | ||
17 | options = { | ||
18 | myServices.pub.enable = lib.mkOption { | ||
19 | type = lib.types.bool; | ||
20 | default = false; | ||
21 | description = '' | ||
22 | Whether to enable pub user. | ||
23 | ''; | ||
24 | }; | ||
25 | myServices.pub.usersProfiles = lib.mkOption { | ||
26 | type = lib.types.attrsOf (lib.types.listOf lib.types.package); | ||
27 | default = {}; | ||
28 | description = '' | ||
29 | specific user profile | ||
30 | ''; | ||
31 | }; | ||
32 | myServices.pub.restrictCommand = lib.mkOption { | ||
33 | type = lib.types.path; | ||
34 | readOnly = true; | ||
35 | default = "${restrict}/bin/restrict"; | ||
36 | description = '' | ||
37 | path to the restrict shell | ||
38 | ''; | ||
39 | }; | ||
40 | }; | ||
41 | |||
42 | config = lib.mkIf config.myServices.pub.enable { | ||
43 | myServices.dns.zones."immae.eu".subdomains.pub = | ||
44 | with config.myServices.dns.helpers; ips servers.eldiron.ips.main; | ||
45 | |||
46 | myServices.chatonsProperties.services.vm-like = { | ||
47 | file.datetime = "2022-08-22T01:00:00"; | ||
48 | service = { | ||
49 | name = "Comptes shell"; | ||
50 | description = "Compte shell cloisonné"; | ||
51 | logo = "https://www.openssh.com/favicon.ico"; | ||
52 | website = "pub.immae.eu"; | ||
53 | status.level = "OK"; | ||
54 | status.description = "OK"; | ||
55 | registration."" = ["MEMBER" "CLIENT"]; | ||
56 | registration.load = "OPEN"; | ||
57 | install.type = "PACKAGE"; | ||
58 | }; | ||
59 | software = { | ||
60 | name = "Openssh"; | ||
61 | website = "https://www.openssh.com/"; | ||
62 | license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE"; | ||
63 | license.name = "BSD Licence"; | ||
64 | version = pkgs.openssh.version; | ||
65 | source.url = "https://github.com/openssh/openssh-portable"; | ||
66 | }; | ||
67 | }; | ||
68 | myServices.ssh.modules.pub = { | ||
69 | snippet = builtins.readFile ./ldap_pub.sh; | ||
70 | dependencies = [ pkgs.coreutils ]; | ||
71 | vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu"; | ||
72 | vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"; | ||
73 | vars.echo_command = "${pkgs.coreutils}/bin/echo"; | ||
74 | vars.restrict_command = "${restrict}/bin/restrict"; | ||
75 | }; | ||
76 | |||
77 | system.extraSystemBuilderCmds = let | ||
78 | toPath = u: paths: pkgs.buildEnv { | ||
79 | name = "${u}-profile"; | ||
80 | inherit paths; | ||
81 | }; | ||
82 | in '' | ||
83 | mkdir -p $out/pub | ||
84 | ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)} | ||
85 | ''; | ||
86 | users.users.pub = let | ||
87 | in { | ||
88 | createHome = true; | ||
89 | description = "Restricted shell user"; | ||
90 | home = "/var/lib/pub"; | ||
91 | uid = config.myEnv.users.pub.uid; | ||
92 | isNormalUser = true; | ||
93 | group = "nogroup"; | ||
94 | useDefaultShell = true; | ||
95 | packages = [ | ||
96 | pkgs.tmux | ||
97 | ]; | ||
98 | }; | ||
99 | }; | ||
100 | } | ||
diff --git a/systems/eldiron/pub/ldap_pub.sh b/systems/eldiron/pub/ldap_pub.sh new file mode 100644 index 0000000..9f03ffe --- /dev/null +++ b/systems/eldiron/pub/ldap_pub.sh | |||
@@ -0,0 +1,38 @@ | |||
1 | ### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh | ||
2 | LDAP_PUB_RESTRICT_MEMBER="@pub_ldap_pub_group@" | ||
3 | LDAP_PUB_FORWARD_MEMBER="@pub_ldap_forward_group@" | ||
4 | ECHO="@pub_echo_command@" | ||
5 | |||
6 | if [[ $user == pub ]]; then | ||
7 | allowed_logins=$(LDAP_BASE=$USER_LDAP_BASE \ | ||
8 | ldap_search '(memberOf='$LDAP_PUB_RESTRICT_MEMBER')' '' \ | ||
9 | | grep ^dn \ | ||
10 | | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \ | ||
11 | | paste -sd,) | ||
12 | |||
13 | allowed_forwards=$(LDAP_BASE=$USER_LDAP_BASE \ | ||
14 | ldap_search '(memberOf='$LDAP_PUB_FORWARD_MEMBER')' '' \ | ||
15 | | grep ^dn \ | ||
16 | | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \ | ||
17 | | paste -sd,) | ||
18 | |||
19 | psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'pub' = ANY(usage) AND login IN ($allowed_logins);" | while IFS='|' read user key; do | ||
20 | if [ ! -z "$key" ]; then | ||
21 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
22 | echo -n 'command="@pub_restrict_command@ '$user'" ' | ||
23 | echo $key | ||
24 | fi | ||
25 | fi | ||
26 | done | ||
27 | |||
28 | psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'forward' = ANY(usage) AND login IN ($allowed_logins,$allowed_forwards);" | while IFS='|' read user key; do | ||
29 | if [ ! -z "$key" ]; then | ||
30 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
31 | echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' | ||
32 | echo $key | ||
33 | fi | ||
34 | fi | ||
35 | done | ||
36 | exit 0 | ||
37 | fi | ||
38 | |||
diff --git a/systems/eldiron/pub/restrict b/systems/eldiron/pub/restrict new file mode 100644 index 0000000..698e394 --- /dev/null +++ b/systems/eldiron/pub/restrict | |||
@@ -0,0 +1,71 @@ | |||
1 | #!/usr/bin/env bash | ||
2 | user="$1" | ||
3 | rootuser="$HOME/$user/" | ||
4 | mkdir -p $rootuser | ||
5 | |||
6 | orig="$SSH_ORIGINAL_COMMAND" | ||
7 | if [ -z "$orig" ]; then | ||
8 | orig="/bin/bash -l" | ||
9 | fi | ||
10 | if [ "${orig:0:7}" = "command" ]; then | ||
11 | orig="${orig:8}" | ||
12 | fi | ||
13 | |||
14 | case "$orig" in | ||
15 | rsync*) | ||
16 | rrsync $HOME/$user/ | ||
17 | ;; | ||
18 | *) | ||
19 | nix_store_paths() { | ||
20 | nix-store -q -R \ | ||
21 | /run/current-system/sw \ | ||
22 | /etc/profiles/per-user/pub \ | ||
23 | /etc/ssl/certs/ca-bundle.crt \ | ||
24 | | while read i; do | ||
25 | printf '%s--ro-bind\0'$i'\0'$i'\0' '' | ||
26 | done | ||
27 | if [ -e "/run/current-system/pub/$user" ]; then | ||
28 | nix-store -q -R "/run/current-system/pub/$user" \ | ||
29 | | while read i; do | ||
30 | printf '%s--ro-bind\0'$i'\0'$i'\0' '' | ||
31 | done | ||
32 | printf '%s--ro-bind\0/run/current-system/pub/'$user'/bin\0/bin-pub-'$user'\0' '' | ||
33 | fi | ||
34 | } | ||
35 | |||
36 | set -euo pipefail | ||
37 | (exec -c bwrap --ro-bind /usr /usr \ | ||
38 | --args 10 \ | ||
39 | --dir /tmp \ | ||
40 | --dir /var \ | ||
41 | --symlink ../tmp var/tmp \ | ||
42 | --proc /proc \ | ||
43 | --dev /dev \ | ||
44 | --ro-bind /etc/resolv.conf /etc/resolv.conf \ | ||
45 | --ro-bind /etc/zoneinfo /etc/zoneinfo \ | ||
46 | --ro-bind /etc/ssl /etc/ssl \ | ||
47 | --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \ | ||
48 | --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \ | ||
49 | --ro-bind /run/current-system/sw/bin /bin \ | ||
50 | --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \ | ||
51 | --bind /var/lib/pub/$user /var/lib/pub \ | ||
52 | --dir /var/lib/commons \ | ||
53 | --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \ | ||
54 | --chdir /var/lib/pub \ | ||
55 | --unshare-all \ | ||
56 | --share-net \ | ||
57 | --dir /run/user/$(id -u) \ | ||
58 | --setenv TERM "$TERM" \ | ||
59 | --setenv LOCALE_ARCHIVE "/etc/locale-archive" \ | ||
60 | --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ | ||
61 | --setenv PS1 "$user@pub $ " \ | ||
62 | --setenv PATH "/bin-pub-$user:/bin:/bin-pub" \ | ||
63 | --setenv HOME "/var/lib/pub" \ | ||
64 | --file 11 /etc/passwd \ | ||
65 | --file 12 /etc/group \ | ||
66 | -- $orig) \ | ||
67 | 10< <(nix_store_paths | sort | uniq) \ | ||
68 | 11< <(getent passwd $UID 65534) \ | ||
69 | 12< <(getent group $(id -g) 65534) | ||
70 | ;; | ||
71 | esac | ||
diff --git a/systems/eldiron/pub/tmux.restrict.conf b/systems/eldiron/pub/tmux.restrict.conf new file mode 100644 index 0000000..5aefd1c --- /dev/null +++ b/systems/eldiron/pub/tmux.restrict.conf | |||
@@ -0,0 +1,43 @@ | |||
1 | # Pour les nostalgiques de screen | ||
2 | # comme les raccourcis ne sont pas les mêmes, j'évite | ||
3 | set -g prefix C-a | ||
4 | unbind-key C-b | ||
5 | |||
6 | unbind-key -a | ||
7 | bind-key -n C-h list-keys | ||
8 | bind-key C-d detach | ||
9 | bind-key & confirm-before -p "kill-window #W? (y/n)" kill-window | ||
10 | |||
11 | # même hack que sur screen lorsqu'on veut profiter du scroll du terminal | ||
12 | # (xterm ...) | ||
13 | set -g terminal-overrides 'xterm*:smcup@:rmcup@' | ||
14 | |||
15 | #Pour les ctrl+arrow | ||
16 | set-option -g xterm-keys on | ||
17 | |||
18 | # c'est un minimum (defaut 2000) | ||
19 | set-option -g history-limit 10000 | ||
20 | |||
21 | # lorsque j'ai encore un tmux ailleurs seule | ||
22 | # sa fenetre active réduit la taille de ma fenetre locale | ||
23 | setw -g aggressive-resize on | ||
24 | |||
25 | # Pour etre alerté sur un changement dans une autre fenêtre | ||
26 | setw -g monitor-activity on | ||
27 | #set -g visual-activity on | ||
28 | #set -g visual-bell on | ||
29 | |||
30 | set -g base-index 1 | ||
31 | |||
32 | # repercuter le contenu de la fenetre dans la barre de titre | ||
33 | # reference des string : man tmux (status-left) | ||
34 | set -g set-titles on | ||
35 | set -g set-titles-string '#H #W #T' # host window command | ||
36 | |||
37 | #Dans les valeurs par defaut deja, avec le ssh-agent | ||
38 | set -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY PATH" | ||
39 | |||
40 | set -g status off | ||
41 | set -g status-left '' | ||
42 | set -g status-right '' | ||
43 | |||