diff options
author | Shea Levy <shea@shealevy.com> | 2014-02-20 12:34:54 -0500 |
---|---|---|
committer | Shea Levy <shea@shealevy.com> | 2014-02-20 13:40:51 -0500 |
commit | fefc0d9917aebab210a62fd80b09af8622c64e94 (patch) | |
tree | 2b82647e0b9efb640ebbc9fcc826186b1471e4a1 /nixos/modules/services | |
parent | 83c98e4dd6c264b480550c6ae90d4038d99b317d (diff) | |
download | nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar.gz nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar.bz2 nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar.lz nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar.xz nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar.zst nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.zip |
Add module to enable the server for the ssh substituter
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/misc/nix-ssh-serve.nix | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix new file mode 100644 index 000000000000..80e7961b1f82 --- /dev/null +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +let + serveOnly = pkgs.writeScript "nix-store-serve" '' + #!${pkgs.stdenv.shell} + if [ "$SSH_ORIGINAL_COMMAND" != "nix-store --serve" ]; then + echo 'Error: You are only allowed to run `nix-store --serve'\'''!' >&2 + exit 1 + fi + exec /run/current-system/sw/bin/nix-store --serve + ''; + + inherit (lib) mkIf mkOption types; +in { + options = { + nix.sshServe = { + enable = mkOption { + description = "Whether to enable serving the nix store over ssh."; + default = false; + type = types.bool; + }; + }; + }; + + config = mkIf config.nix.sshServe.enable { + users.extraUsers.nix-ssh = { + description = "User for running nix-store --serve."; + uid = config.ids.uids.nix-ssh; + shell = pkgs.stdenv.shell; + }; + + services.openssh.enable = true; + + services.openssh.extraConfig = '' + Match User nix-ssh + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitTunnel no + X11Forwarding no + ForceCommand ${serveOnly} + Match All + ''; + }; +} |