diff options
| author | Shea Levy <shea@shealevy.com> | 2014-02-20 12:34:54 -0500 |
|---|---|---|
| committer | Shea Levy <shea@shealevy.com> | 2014-02-20 13:40:51 -0500 |
| commit | fefc0d9917aebab210a62fd80b09af8622c64e94 (patch) | |
| tree | 2b82647e0b9efb640ebbc9fcc826186b1471e4a1 /nixos | |
| parent | 83c98e4dd6c264b480550c6ae90d4038d99b317d (diff) | |
| download | nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar.gz nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar.bz2 nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar.lz nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar.xz nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.tar.zst nixlib-fefc0d9917aebab210a62fd80b09af8622c64e94.zip | |
Add module to enable the server for the ssh substituter
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/misc/ids.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/misc/nix-ssh-serve.nix | 45 |
3 files changed, 47 insertions, 0 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 6d8335516049..7e4c9b9b948a 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -112,6 +112,7 @@ cgminer = 101; munin = 102; logcheck = 103; + nix-ssh = 104; # When adding a uid, make sure it doesn't match an existing gid. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c66cccb3975a..391cc2503bd2 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -125,6 +125,7 @@ ./services/misc/gpsd.nix ./services/misc/nix-daemon.nix ./services/misc/nix-gc.nix + ./services/misc/nix-ssh-serve.nix ./services/misc/nixos-manual.nix ./services/misc/rogue.nix ./services/misc/svnserve.nix diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix new file mode 100644 index 000000000000..80e7961b1f82 --- /dev/null +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +let + serveOnly = pkgs.writeScript "nix-store-serve" '' + #!${pkgs.stdenv.shell} + if [ "$SSH_ORIGINAL_COMMAND" != "nix-store --serve" ]; then + echo 'Error: You are only allowed to run `nix-store --serve'\'''!' >&2 + exit 1 + fi + exec /run/current-system/sw/bin/nix-store --serve + ''; + + inherit (lib) mkIf mkOption types; +in { + options = { + nix.sshServe = { + enable = mkOption { + description = "Whether to enable serving the nix store over ssh."; + default = false; + type = types.bool; + }; + }; + }; + + config = mkIf config.nix.sshServe.enable { + users.extraUsers.nix-ssh = { + description = "User for running nix-store --serve."; + uid = config.ids.uids.nix-ssh; + shell = pkgs.stdenv.shell; + }; + + services.openssh.enable = true; + + services.openssh.extraConfig = '' + Match User nix-ssh + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitTunnel no + X11Forwarding no + ForceCommand ${serveOnly} + Match All + ''; + }; +} |