blob: ca8122a7b13657da7a3747bceabdcffac5fae528 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
{ lib, pkgs, config, ... }:
let
restrict = pkgs.runCommand "restrict" {
file = ./restrict;
buildInputs = [ pkgs.makeWrapper ];
} ''
mkdir -p $out/bin
cp $file $out/bin/restrict
chmod a+x $out/bin/restrict
patchShebangs $out/bin/restrict
wrapProgram $out/bin/restrict \
--prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
--set TMUX_RESTRICT ${./tmux.restrict.conf}
'';
in
{
options = {
myServices.pub.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable pub user.
'';
};
myServices.pub.usersProfiles = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.package);
default = {};
description = ''
specific user profile
'';
};
myServices.pub.restrictCommand = lib.mkOption {
type = lib.types.path;
readOnly = true;
default = "${restrict}/bin/restrict";
description = ''
path to the restrict shell
'';
};
};
config = lib.mkIf config.myServices.pub.enable {
myServices.dns.zones."immae.eu".subdomains.pub =
with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
myServices.chatonsProperties.services.vm-like = {
file.datetime = "2022-08-22T01:00:00";
service = {
name = "Comptes shell";
description = "Compte shell cloisonné";
logo = "https://www.openssh.com/favicon.ico";
website = "pub.immae.eu";
status.level = "OK";
status.description = "OK";
registration."" = ["MEMBER" "CLIENT"];
registration.load = "OPEN";
install.type = "PACKAGE";
};
software = {
name = "Openssh";
website = "https://www.openssh.com/";
license.url = "https://github.com/openssh/openssh-portable/blob/master/LICENCE";
license.name = "BSD Licence";
version = pkgs.openssh.version;
source.url = "https://github.com/openssh/openssh-portable";
};
};
myServices.ssh.modules.pub = {
snippet = builtins.readFile ./ldap_pub.sh;
dependencies = [ pkgs.coreutils ];
vars.ldap_forward_group = "cn=forward,cn=pub,ou=services,dc=immae,dc=eu";
vars.ldap_pub_group = "cn=restrict,cn=pub,ou=services,dc=immae,dc=eu";
vars.echo_command = "${pkgs.coreutils}/bin/echo";
vars.restrict_command = "${restrict}/bin/restrict";
};
system.extraSystemBuilderCmds = let
toPath = u: paths: pkgs.buildEnv {
name = "${u}-profile";
inherit paths;
};
in ''
mkdir -p $out/pub
${builtins.concatStringsSep "\n" (lib.mapAttrsToList (u: m: "ln -s ${toPath u m} $out/pub/${u}") config.myServices.pub.usersProfiles)}
'';
users.users.pub = let
in {
createHome = true;
description = "Restricted shell user";
home = "/var/lib/pub";
uid = config.myEnv.users.pub.uid;
isNormalUser = true;
group = "nogroup";
useDefaultShell = true;
packages = [
pkgs.tmux
];
};
};
}
|
