summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/misc/ids.nix1
-rw-r--r--nixos/modules/module-list.nix1
-rw-r--r--nixos/modules/services/misc/nix-ssh-serve.nix45
3 files changed, 47 insertions, 0 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 6d8335516049..7e4c9b9b948a 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -112,6 +112,7 @@
       cgminer = 101;
       munin = 102;
       logcheck = 103;
+      nix-ssh = 104;
 
       # When adding a uid, make sure it doesn't match an existing gid.
 
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index c66cccb3975a..391cc2503bd2 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -125,6 +125,7 @@
   ./services/misc/gpsd.nix
   ./services/misc/nix-daemon.nix
   ./services/misc/nix-gc.nix
+  ./services/misc/nix-ssh-serve.nix
   ./services/misc/nixos-manual.nix
   ./services/misc/rogue.nix
   ./services/misc/svnserve.nix
diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix
new file mode 100644
index 000000000000..80e7961b1f82
--- /dev/null
+++ b/nixos/modules/services/misc/nix-ssh-serve.nix
@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+
+let
+  serveOnly = pkgs.writeScript "nix-store-serve" ''
+    #!${pkgs.stdenv.shell}
+    if [ "$SSH_ORIGINAL_COMMAND" != "nix-store --serve" ]; then
+      echo 'Error: You are only allowed to run `nix-store --serve'\'''!' >&2
+      exit 1
+    fi
+    exec /run/current-system/sw/bin/nix-store --serve
+  '';
+
+  inherit (lib) mkIf mkOption types;
+in {
+  options = {
+    nix.sshServe = {
+      enable = mkOption {
+        description = "Whether to enable serving the nix store over ssh.";
+        default = false;
+        type = types.bool;
+      };
+    };
+  };
+
+  config = mkIf config.nix.sshServe.enable {
+    users.extraUsers.nix-ssh = {
+      description = "User for running nix-store --serve.";
+      uid = config.ids.uids.nix-ssh;
+      shell = pkgs.stdenv.shell;
+    };
+
+    services.openssh.enable = true;
+
+    services.openssh.extraConfig = ''
+      Match User nix-ssh
+        AllowAgentForwarding no
+        AllowTcpForwarding no
+        PermitTTY no
+        PermitTunnel no
+        X11Forwarding no
+        ForceCommand ${serveOnly}
+      Match All
+    '';
+  };
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-01 03:03:19 +0000