diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix b/nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix new file mode 100644 index 000000000000..7ce3841be2f5 --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix @@ -0,0 +1,61 @@ +{ config, lib, ... }: + +with lib; +let cfg = config.nix.sshServe; + command = + if cfg.protocol == "ssh" + then "nix-store --serve" + else "nix-daemon --stdio"; +in { + options = { + + nix.sshServe = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable serving the Nix store as a remote store via SSH."; + }; + + keys = mkOption { + type = types.listOf types.str; + default = []; + example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ]; + description = "A list of SSH public keys allowed to access the binary cache via SSH."; + }; + + protocol = mkOption { + type = types.enum [ "ssh" "ssh-ng" ]; + default = "ssh"; + description = "The specific Nix-over-SSH protocol to use."; + }; + + }; + + }; + + config = mkIf cfg.enable { + + users.users.nix-ssh = { + description = "Nix SSH store user"; + uid = config.ids.uids.nix-ssh; + useDefaultShell = true; + }; + + services.openssh.enable = true; + + services.openssh.extraConfig = '' + Match User nix-ssh + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitTunnel no + X11Forwarding no + ForceCommand ${config.nix.package.out}/bin/${command} + Match All + ''; + + users.users.nix-ssh.openssh.authorizedKeys.keys = cfg.keys; + + }; +} |