From 5ccc61bb90f4e8959a0866c9ce2e711453d0fd9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 1 Mar 2019 16:08:32 +0100 Subject: Add "pub" user --- nixops/eldiron.nix | 2 + nixops/ldap_authorized_keys.sh | 2 +- nixops/modules/pub/default.nix | 44 ++++++++++++++++++ nixops/modules/pub/restrict | 59 +++++++++++++++++++++++++ nixops/modules/pub/tmux.restrict.conf | 43 ++++++++++++++++++ nixops/modules/websites/tools/cloud/default.nix | 2 +- 6 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 nixops/modules/pub/default.nix create mode 100644 nixops/modules/pub/restrict create mode 100644 nixops/modules/pub/tmux.restrict.conf (limited to 'nixops') diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix index 5dff7d4..5f0b5d5 100644 --- a/nixops/eldiron.nix +++ b/nixops/eldiron.nix @@ -30,6 +30,7 @@ ./modules/websites ./modules/mail ./modules/ftp + ./modules/pub ]; services.myGitolite.enable = true; services.myDatabases.enable = true; @@ -37,6 +38,7 @@ services.myWebsites.integration.enable = true; services.myWebsites.tools.enable = true; services.pure-ftpd.enable = true; + services.pub.enable = true; services.journald.extraConfig = '' MaxLevelStore="warning" diff --git a/nixops/ldap_authorized_keys.sh b/nixops/ldap_authorized_keys.sh index ceaddbe..d869d74 100755 --- a/nixops/ldap_authorized_keys.sh +++ b/nixops/ldap_authorized_keys.sh @@ -92,7 +92,7 @@ ldap_keys() { key_forward=$(clean_key_line forward "$line") if [ ! -z "$key" ]; then if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then - echo -n 'command="$HOME/bin/restrict '$user'" ' + echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" ' echo $key fi elif [ ! -z "$key_forward" ]; then diff --git a/nixops/modules/pub/default.nix b/nixops/modules/pub/default.nix new file mode 100644 index 0000000..59263ad --- /dev/null +++ b/nixops/modules/pub/default.nix @@ -0,0 +1,44 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +{ + options = { + services.pub.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether to enable pub user. + ''; + }; + }; + + config = lib.mkIf config.services.pub.enable { + users.users.pub = let + restrict = pkgs.runCommand "restrict" { + file = ./restrict; + buildInputs = [ pkgs.makeWrapper ]; + } '' + mkdir -p $out/bin + cp $file $out/bin/restrict + chmod a+x $out/bin/restrict + patchShebangs $out/bin/restrict + wrapProgram $out/bin/restrict \ + --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \ + --set TMUX_RESTRICT ${./tmux.restrict.conf} + ''; + in { + createHome = true; + description = "Restricted shell user"; + home = "/var/lib/pub"; + uid = myconfig.env.users.pub.uid; + useDefaultShell = true; + packages = [ + restrict + pkgs.tmux + (pkgs.pidgin.override { plugins = [ + pkgs.purple-plugin-pack pkgs.purple-hangouts + pkgs.purple-discord pkgs.purple-facebook + pkgs.telegram-purple + ]; }) + ]; + }; + }; +} diff --git a/nixops/modules/pub/restrict b/nixops/modules/pub/restrict new file mode 100644 index 0000000..a16d7a5 --- /dev/null +++ b/nixops/modules/pub/restrict @@ -0,0 +1,59 @@ +#!/usr/bin/env bash +user="$1" +rootuser="$HOME/$user/" +mkdir -p $rootuser + +orig="$SSH_ORIGINAL_COMMAND" +if [ -z "$orig" ]; then + orig="/bin/bash -l" +fi +if [ "${orig:0:7}" = "command" ]; then + orig="${orig:8}" +fi + +case "$orig" in +rsync*) + rrsync $HOME/$user/ + ;; +*) + nix_store_paths() { + nix-store -q -R \ + /run/current-system/sw \ + /etc/profiles/per-user/pub \ + | while read i; do + printf '%s--bind\0'$i'\0'$i'\0' '' + done + } + + set -euo pipefail + (exec -c bwrap --ro-bind /usr /usr \ + --args 10 \ + --dir /tmp \ + --dir /var \ + --symlink ../tmp var/tmp \ + --proc /proc \ + --dev /dev \ + --ro-bind /etc/resolv.conf /etc/resolv.conf \ + --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \ + --ro-bind /run/current-system/sw/bin /bin \ + --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \ + --bind /var/lib/pub/$user /var/lib/pub \ + --ro-bind $TMUX_RESTRICT /var/lib/pub/.tmux.restrict.conf \ + --chdir /var/lib/pub \ + --unshare-all \ + --share-net \ + --dir /run/user/$(id -u) \ + --setenv TERM "$TERM" \ + --setenv LOCALE_ARCHIVE "/etc/locale-archive" \ + --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ + --setenv PS1 "$user@pub $ " \ + --setenv PATH "/bin:/bin-pub" \ + --setenv HOME "/var/lib/pub" \ + --file 11 /etc/passwd \ + --file 12 /etc/group \ + -- $orig) \ + 10< <(nix_store_paths) \ + 11< <(getent passwd $UID 65534) \ + 12< <(getent group $(id -g) 65534) + ;; +esac diff --git a/nixops/modules/pub/tmux.restrict.conf b/nixops/modules/pub/tmux.restrict.conf new file mode 100644 index 0000000..5aefd1c --- /dev/null +++ b/nixops/modules/pub/tmux.restrict.conf @@ -0,0 +1,43 @@ +# Pour les nostalgiques de screen +# comme les raccourcis ne sont pas les mêmes, j'évite +set -g prefix C-a +unbind-key C-b + +unbind-key -a +bind-key -n C-h list-keys +bind-key C-d detach +bind-key & confirm-before -p "kill-window #W? (y/n)" kill-window + +# même hack que sur screen lorsqu'on veut profiter du scroll du terminal +# (xterm ...) +set -g terminal-overrides 'xterm*:smcup@:rmcup@' + +#Pour les ctrl+arrow +set-option -g xterm-keys on + +# c'est un minimum (defaut 2000) +set-option -g history-limit 10000 + +# lorsque j'ai encore un tmux ailleurs seule +# sa fenetre active réduit la taille de ma fenetre locale +setw -g aggressive-resize on + +# Pour etre alerté sur un changement dans une autre fenêtre +setw -g monitor-activity on +#set -g visual-activity on +#set -g visual-bell on + +set -g base-index 1 + +# repercuter le contenu de la fenetre dans la barre de titre +# reference des string : man tmux (status-left) +set -g set-titles on +set -g set-titles-string '#H #W #T' # host window command + +#Dans les valeurs par defaut deja, avec le ssh-agent +set -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY PATH" + +set -g status off +set -g status-left '' +set -g status-right '' + diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix index 360d52c..dc3dde2 100644 --- a/nixops/modules/websites/tools/cloud/default.nix +++ b/nixops/modules/websites/tools/cloud/default.nix @@ -24,7 +24,7 @@ in { ]; }; - environment.systemPackages = let + users.users.root.packages = let occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.stdenv.shell} cd ${nextcloud.webRoot} -- cgit v1.2.3