4 files changed, 252 insertions, 0 deletions
diff --git a/systems/eldiron/pub/default.nix b/systems/eldiron/pub/default.nix
new file mode 100644
index 0000000..ca8122a
--- /dev/null
+++ b/systems/eldiron/pub/default.nix
@@ -0,0 +1,100 @@
+{ lib, pkgs, config,  ... }:
+let
+  restrict = pkgs.runCommand "restrict" {
+    file = ./restrict;
+    buildInputs = [ pkgs.makeWrapper ];
+  } ''
+    mkdir -p $out/bin
+    cp $file $out/bin/restrict
+    chmod a+x $out/bin/restrict
+    patchShebangs $out/bin/restrict
+    wrapProgram $out/bin/restrict \
+      --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
+      --set TMUX_RESTRICT ${./tmux.restrict.conf}
+  '';
+in
+{
+  options = {
+    myServices.pub.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable pub user.
+      '';
+    };
+    myServices.pub.usersProfiles = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.listOf lib.types.package);
+      default = {};
+      description = ''
+        specific user profile
+      '';
+    };
+    myServices.pub.restrictCommand = lib.mkOption {
+      type = lib.types.path;
+      readOnly = true;
+      default = "${restrict}/bin/restrict";
+      description = ''
+        path to the restrict shell
+      '';
+    };
+  };
+  config = lib.mkIf config.myServices.pub.enable {
+    myServices.dns.zones."immae.eu".subdomains.pub =
+      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
+    myServices.chatonsProperties.services.vm-like = {
+      file.datetime = "2022-08-22T01:00:00";
+      service = {
+        name = "Comptes shell";
+        description = "Compte shell cloisonné";
+        logo = "https://www.openssh.com/favicon.ico";
+        website = "pub.immae.eu";
+        status.level = "OK";
+        status.description = "OK";
+        registration."" = ["MEMBER" "CLIENT"];
+        registration.load = "OPEN";
+        install.type = "PACKAGE";
+      };
+      software = {
+        name = "Openssh";
+        website = "https://www.openssh.com/";
+        license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE";
+        license.name = "BSD Licence";
+        version = pkgs.openssh.version;
+        source.url = "https://github.com/openssh/openssh-portable";
+      };
+    };
+    myServices.ssh.modules.pub = {
+      snippet = builtins.readFile ./ldap_pub.sh;
+      dependencies = [ pkgs.coreutils ];
+      vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu";
+      vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu";
+      vars.echo_command = "${pkgs.coreutils}/bin/echo";
+      vars.restrict_command = "${restrict}/bin/restrict";
+    };
+    system.extraSystemBuilderCmds = let
+      toPath = u: paths: pkgs.buildEnv {
+        name = "${u}-profile";
+        inherit paths;
+      };
+    in ''
+      mkdir -p $out/pub
+      ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)}
+    '';
+    users.users.pub = let
+    in {
+      createHome = true;
+      description = "Restricted shell user";
+      home = "/var/lib/pub";
+      uid = config.myEnv.users.pub.uid;
+      isNormalUser = true;
+      group = "nogroup";
+      useDefaultShell = true;
+      packages = [
+        pkgs.tmux
+      ];
+    };
+  };
+}
diff --git a/systems/eldiron/pub/ldap_pub.sh b/systems/eldiron/pub/ldap_pub.sh
new file mode 100644
index 0000000..9f03ffe
--- /dev/null
+++ b/systems/eldiron/pub/ldap_pub.sh
@@ -0,0 +1,38 @@
+### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh
+LDAP_PUB_RESTRICT_MEMBER="@pub_ldap_pub_group@"
+LDAP_PUB_FORWARD_MEMBER="@pub_ldap_forward_group@"
+ECHO="@pub_echo_command@"
+if [[ $user == pub ]]; then
+  allowed_logins=$(LDAP_BASE=$USER_LDAP_BASE \
+    ldap_search '(memberOf='$LDAP_PUB_RESTRICT_MEMBER')' '' \
+      | grep ^dn \
+      | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \
+      | paste -sd,)
+  allowed_forwards=$(LDAP_BASE=$USER_LDAP_BASE \
+    ldap_search '(memberOf='$LDAP_PUB_FORWARD_MEMBER')' '' \
+      | grep ^dn \
+      | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \
+      | paste -sd,)
+  psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'pub' = ANY(usage) AND login IN ($allowed_logins);" | while IFS='|' read user key; do
+    if [ ! -z "$key" ]; then
+      if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+        echo -n 'command="@pub_restrict_command@ '$user'" '
+        echo $key
+      fi
+    fi
+  done
+  psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'forward' = ANY(usage) AND login IN ($allowed_logins,$allowed_forwards);" | while IFS='|' read user key; do
+    if [ ! -z "$key" ]; then
+      if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+        echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+        echo $key
+      fi
+    fi
+  done
+  exit 0
+fi
diff --git a/systems/eldiron/pub/restrict b/systems/eldiron/pub/restrict
new file mode 100644
index 0000000..698e394
--- /dev/null
+++ b/systems/eldiron/pub/restrict
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+user="$1"
+rootuser="$HOME/$user/"
+mkdir -p $rootuser
+orig="$SSH_ORIGINAL_COMMAND"
+if [ -z "$orig" ]; then
+  orig="/bin/bash -l"
+fi
+if [ "${orig:0:7}" = "command" ]; then
+  orig="${orig:8}"
+fi
+case "$orig" in
+rsync*)
+        rrsync $HOME/$user/
+        ;;
+*)
+        nix_store_paths() {
+          nix-store -q -R \
+               /run/current-system/sw \
+               /etc/profiles/per-user/pub \
+               /etc/ssl/certs/ca-bundle.crt \
+               | while read i; do
+            printf '%s--ro-bind\0'$i'\0'$i'\0' ''
+          done
+          if [ -e "/run/current-system/pub/$user" ]; then
+            nix-store -q -R "/run/current-system/pub/$user" \
+                | while read i; do
+              printf '%s--ro-bind\0'$i'\0'$i'\0' ''
+            done
+            printf '%s--ro-bind\0/run/current-system/pub/'$user'/bin\0/bin-pub-'$user'\0' ''
+          fi
+        }
+        set -euo pipefail
+        (exec -c bwrap --ro-bind /usr /usr \
+              --args 10 \
+              --dir /tmp \
+              --dir /var \
+              --symlink ../tmp var/tmp \
+              --proc /proc \
+              --dev /dev \
+              --ro-bind /etc/resolv.conf /etc/resolv.conf \
+              --ro-bind /etc/zoneinfo /etc/zoneinfo \
+              --ro-bind /etc/ssl /etc/ssl \
+              --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
+              --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
+              --ro-bind /run/current-system/sw/bin /bin \
+              --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
+              --bind /var/lib/pub/$user /var/lib/pub \
+              --dir /var/lib/commons \
+              --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \
+              --chdir /var/lib/pub \
+              --unshare-all \
+              --share-net \
+              --dir /run/user/$(id -u) \
+              --setenv TERM "$TERM" \
+              --setenv LOCALE_ARCHIVE "/etc/locale-archive" \
+              --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
+              --setenv PS1 "$user@pub $ " \
+              --setenv PATH "/bin-pub-$user:/bin:/bin-pub" \
+              --setenv HOME "/var/lib/pub" \
+              --file 11 /etc/passwd \
+              --file 12 /etc/group \
+              -- $orig) \
+              10< <(nix_store_paths | sort | uniq) \
+              11< <(getent passwd $UID 65534) \
+              12< <(getent group $(id -g) 65534)
+        ;;
+esac
diff --git a/systems/eldiron/pub/tmux.restrict.conf b/systems/eldiron/pub/tmux.restrict.conf
new file mode 100644
index 0000000..5aefd1c
--- /dev/null
+++ b/systems/eldiron/pub/tmux.restrict.conf
@@ -0,0 +1,43 @@
+# Pour les nostalgiques de screen
+# comme les raccourcis ne sont pas les mêmes, j'évite
+set -g prefix C-a
+unbind-key C-b
+unbind-key -a
+bind-key -n C-h list-keys
+bind-key    C-d detach
+bind-key      & confirm-before -p "kill-window #W? (y/n)" kill-window
+# même hack que sur screen lorsqu'on veut profiter du scroll du terminal
+# (xterm ...)
+set -g terminal-overrides 'xterm*:smcup@:rmcup@'
+#Pour les ctrl+arrow
+set-option -g xterm-keys on
+# c'est un minimum (defaut 2000)
+set-option -g history-limit 10000
+# lorsque j'ai encore un tmux ailleurs seule
+# sa fenetre active réduit la taille de ma fenetre locale
+setw -g aggressive-resize on
+# Pour etre alerté sur un changement dans une autre fenêtre
+setw -g monitor-activity on
+#set -g visual-activity on
+#set -g visual-bell on
+set -g base-index 1
+# repercuter le contenu de la fenetre dans la barre de titre
+# reference des string : man tmux (status-left)
+set -g set-titles on
+set -g set-titles-string '#H #W #T' # host window command
+#Dans les valeurs par defaut deja, avec le ssh-agent
+set -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY PATH"
+set -g status off
+set -g status-left ''
+set -g status-right ''

diff --git a/systems/eldiron/pub/default.nix b/systems/eldiron/pub/default.nix new file mode 100644 index 0000000..ca8122a --- /dev/null +++ b/systems/eldiron/pub/default.nix
@@ -0,0 +1,100 @@
	1	{ lib, pkgs, config, ... }:
	2	let
	3	restrict = pkgs.runCommand "restrict" {
	4	file = ./restrict;
	5	buildInputs = [ pkgs.makeWrapper ];
	6	} ''
	7	mkdir -p $out/bin
	8	cp $file $out/bin/restrict
	9	chmod a+x $out/bin/restrict
	10	patchShebangs $out/bin/restrict
	11	wrapProgram $out/bin/restrict \
	12	--prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
	13	--set TMUX_RESTRICT ${./tmux.restrict.conf}
	14	'';
	15	in
	16	{
	17	options = {
	18	myServices.pub.enable = lib.mkOption {
	19	type = lib.types.bool;
	20	default = false;
	21	description = ''
	22	Whether to enable pub user.
	23	'';
	24	};
	25	myServices.pub.usersProfiles = lib.mkOption {
	26	type = lib.types.attrsOf (lib.types.listOf lib.types.package);
	27	default = {};
	28	description = ''
	29	specific user profile
	30	'';
	31	};
	32	myServices.pub.restrictCommand = lib.mkOption {
	33	type = lib.types.path;
	34	readOnly = true;
	35	default = "${restrict}/bin/restrict";
	36	description = ''
	37	path to the restrict shell
	38	'';
	39	};
	40	};
	41
	42	config = lib.mkIf config.myServices.pub.enable {
	43	myServices.dns.zones."immae.eu".subdomains.pub =
	44	with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
	45
	46	myServices.chatonsProperties.services.vm-like = {
	47	file.datetime = "2022-08-22T01:00:00";
	48	service = {
	49	name = "Comptes shell";
	50	description = "Compte shell cloisonné";
	51	logo = "https://www.openssh.com/favicon.ico";
	52	website = "pub.immae.eu";
	53	status.level = "OK";
	54	status.description = "OK";
	55	registration."" = ["MEMBER" "CLIENT"];
	56	registration.load = "OPEN";
	57	install.type = "PACKAGE";
	58	};
	59	software = {
	60	name = "Openssh";
	61	website = "https://www.openssh.com/";
	62	license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE";
	63	license.name = "BSD Licence";
	64	version = pkgs.openssh.version;
	65	source.url = "https://github.com/openssh/openssh-portable";
	66	};
	67	};
	68	myServices.ssh.modules.pub = {
	69	snippet = builtins.readFile ./ldap_pub.sh;
	70	dependencies = [ pkgs.coreutils ];
	71	vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu";
	72	vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu";
	73	vars.echo_command = "${pkgs.coreutils}/bin/echo";
	74	vars.restrict_command = "${restrict}/bin/restrict";
	75	};
	76
	77	system.extraSystemBuilderCmds = let
	78	toPath = u: paths: pkgs.buildEnv {
	79	name = "${u}-profile";
	80	inherit paths;
	81	};
	82	in ''
	83	mkdir -p $out/pub
	84	${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)}
	85	'';
	86	users.users.pub = let
	87	in {
	88	createHome = true;
	89	description = "Restricted shell user";
	90	home = "/var/lib/pub";
	91	uid = config.myEnv.users.pub.uid;
	92	isNormalUser = true;
	93	group = "nogroup";
	94	useDefaultShell = true;
	95	packages = [
	96	pkgs.tmux
	97	];
	98	};
	99	};
	100	}


diff --git a/systems/eldiron/pub/ldap_pub.sh b/systems/eldiron/pub/ldap_pub.sh new file mode 100644 index 0000000..9f03ffe --- /dev/null +++ b/systems/eldiron/pub/ldap_pub.sh
@@ -0,0 +1,38 @@
	1	### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh
	2	LDAP_PUB_RESTRICT_MEMBER="@pub_ldap_pub_group@"
	3	LDAP_PUB_FORWARD_MEMBER="@pub_ldap_forward_group@"
	4	ECHO="@pub_echo_command@"
	5
	6	if [[ $user == pub ]]; then
	7	allowed_logins=$(LDAP_BASE=$USER_LDAP_BASE \
	8	ldap_search '(memberOf='$LDAP_PUB_RESTRICT_MEMBER')' '' \
	9	\| grep ^dn \
	10	\| sed -e "s/^dn: uid=\([^,]\),.$USER_LDAP_BASE$/'\1'/" \
	11	\| paste -sd,)
	12
	13	allowed_forwards=$(LDAP_BASE=$USER_LDAP_BASE \
	14	ldap_search '(memberOf='$LDAP_PUB_FORWARD_MEMBER')' '' \
	15	\| grep ^dn \
	16	\| sed -e "s/^dn: uid=\([^,]\),.$USER_LDAP_BASE$/'\1'/" \
	17	\| paste -sd,)
	18
	19	psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'pub' = ANY(usage) AND login IN ($allowed_logins);" \| while IFS='\|' read user key; do
	20	if [ ! -z "$key" ]; then
	21	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
	22	echo -n 'command="@pub_restrict_command@ '$user'" '
	23	echo $key
	24	fi
	25	fi
	26	done
	27
	28	psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'forward' = ANY(usage) AND login IN ($allowed_logins,$allowed_forwards);" \| while IFS='\|' read user key; do
	29	if [ ! -z "$key" ]; then
	30	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
	31	echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
	32	echo $key
	33	fi
	34	fi
	35	done
	36	exit 0
	37	fi
	38


diff --git a/systems/eldiron/pub/restrict b/systems/eldiron/pub/restrict new file mode 100644 index 0000000..698e394 --- /dev/null +++ b/systems/eldiron/pub/restrict
@@ -0,0 +1,71 @@
	1	#!/usr/bin/env bash
	2	user="$1"
	3	rootuser="$HOME/$user/"
	4	mkdir -p $rootuser
	5
	6	orig="$SSH_ORIGINAL_COMMAND"
	7	if [ -z "$orig" ]; then
	8	orig="/bin/bash -l"
	9	fi
	10	if [ "${orig:0:7}" = "command" ]; then
	11	orig="${orig:8}"
	12	fi
	13
	14	case "$orig" in
	15	rsync*)
	16	rrsync $HOME/$user/
	17	;;
	18	*)
	19	nix_store_paths() {
	20	nix-store -q -R \
	21	/run/current-system/sw \
	22	/etc/profiles/per-user/pub \
	23	/etc/ssl/certs/ca-bundle.crt \
	24	\| while read i; do
	25	printf '%s--ro-bind\0'$i'\0'$i'\0' ''
	26	done
	27	if [ -e "/run/current-system/pub/$user" ]; then
	28	nix-store -q -R "/run/current-system/pub/$user" \
	29	\| while read i; do
	30	printf '%s--ro-bind\0'$i'\0'$i'\0' ''
	31	done
	32	printf '%s--ro-bind\0/run/current-system/pub/'$user'/bin\0/bin-pub-'$user'\0' ''
	33	fi
	34	}
	35
	36	set -euo pipefail
	37	(exec -c bwrap --ro-bind /usr /usr \
	38	--args 10 \
	39	--dir /tmp \
	40	--dir /var \
	41	--symlink ../tmp var/tmp \
	42	--proc /proc \
	43	--dev /dev \
	44	--ro-bind /etc/resolv.conf /etc/resolv.conf \
	45	--ro-bind /etc/zoneinfo /etc/zoneinfo \
	46	--ro-bind /etc/ssl /etc/ssl \
	47	--ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
	48	--ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
	49	--ro-bind /run/current-system/sw/bin /bin \
	50	--ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
	51	--bind /var/lib/pub/$user /var/lib/pub \
	52	--dir /var/lib/commons \
	53	--ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \
	54	--chdir /var/lib/pub \
	55	--unshare-all \
	56	--share-net \
	57	--dir /run/user/$(id -u) \
	58	--setenv TERM "$TERM" \
	59	--setenv LOCALE_ARCHIVE "/etc/locale-archive" \
	60	--setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
	61	--setenv PS1 "$user@pub $ " \
	62	--setenv PATH "/bin-pub-$user:/bin:/bin-pub" \
	63	--setenv HOME "/var/lib/pub" \
	64	--file 11 /etc/passwd \
	65	--file 12 /etc/group \
	66	-- $orig) \
	67	10< <(nix_store_paths \| sort \| uniq) \
	68	11< <(getent passwd $UID 65534) \
	69	12< <(getent group $(id -g) 65534)
	70	;;
	71	esac


diff --git a/systems/eldiron/pub/tmux.restrict.conf b/systems/eldiron/pub/tmux.restrict.conf new file mode 100644 index 0000000..5aefd1c --- /dev/null +++ b/systems/eldiron/pub/tmux.restrict.conf
@@ -0,0 +1,43 @@
	1	# Pour les nostalgiques de screen
	2	# comme les raccourcis ne sont pas les mêmes, j'évite
	3	set -g prefix C-a
	4	unbind-key C-b
	5
	6	unbind-key -a
	7	bind-key -n C-h list-keys
	8	bind-key C-d detach
	9	bind-key & confirm-before -p "kill-window #W? (y/n)" kill-window
	10
	11	# même hack que sur screen lorsqu'on veut profiter du scroll du terminal
	12	# (xterm ...)
	13	set -g terminal-overrides 'xterm*:smcup@:rmcup@'
	14
	15	#Pour les ctrl+arrow
	16	set-option -g xterm-keys on
	17
	18	# c'est un minimum (defaut 2000)
	19	set-option -g history-limit 10000
	20
	21	# lorsque j'ai encore un tmux ailleurs seule
	22	# sa fenetre active réduit la taille de ma fenetre locale
	23	setw -g aggressive-resize on
	24
	25	# Pour etre alerté sur un changement dans une autre fenêtre
	26	setw -g monitor-activity on
	27	#set -g visual-activity on
	28	#set -g visual-bell on
	29
	30	set -g base-index 1
	31
	32	# repercuter le contenu de la fenetre dans la barre de titre
	33	# reference des string : man tmux (status-left)
	34	set -g set-titles on
	35	set -g set-titles-string '#H #W #T' # host window command
	36
	37	#Dans les valeurs par defaut deja, avec le ssh-agent
	38	set -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY PATH"
	39
	40	set -g status off
	41	set -g status-left ''
	42	set -g status-right ''
	43