modules/private/pub/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

{ lib, pkgs, config,  ... }:
{
  options = {
    myServices.pub.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pub user.
      '';
    };
  };

  config = lib.mkIf config.myServices.pub.enable {
    myServices.ssh.modules = [{
      snippet = builtins.readFile ./ldap_pub.sh;
      dependencies = [ pkgs.coreutils ];
    }];
    services.duplyBackup.profiles.pub = {
      rootDir = "/var/lib/pub";
    };
    users.users.pub = let
      restrict = pkgs.runCommand "restrict" { 
        file = ./restrict;
        buildInputs = [ pkgs.makeWrapper ];
      } ''
        mkdir -p $out/bin
        cp $file $out/bin/restrict
        chmod a+x $out/bin/restrict
        patchShebangs $out/bin/restrict
        wrapProgram $out/bin/restrict \
          --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
          --set TMUX_RESTRICT ${./tmux.restrict.conf}
      '';
      purple-hangouts = pkgs.purple-hangouts.overrideAttrs(old: {
        installPhase = ''
          install -Dm755 -t $out/lib/purple-2/ libhangouts.so
          for size in 16 22 24 48; do
            install -TDm644 hangouts$size.png $out/share/pixmaps/pidgin/protocols/$size/hangouts.png
          done
          '';
      });
    in {
      createHome = true;
      description = "Restricted shell user";
      home = "/var/lib/pub";
      uid = config.myEnv.users.pub.uid;
      useDefaultShell = true;
      packages = [
        restrict
        pkgs.tmux
        (pkgs.pidgin.override { plugins = [
          pkgs.purple-plugin-pack purple-hangouts
          pkgs.purple-discord pkgs.purple-facebook
          pkgs.telegram-purple
        ]; })
        ];
    };
  };
}