pyrox.dev
Add module to enable the server for the ssh substituter
+1
nixos/modules/misc/ids.nix
+1
nixos/modules/misc/ids.nix
+1
nixos/modules/module-list.nix
+1
nixos/modules/module-list.nix
+45
nixos/modules/services/misc/nix-ssh-serve.nix
+45
nixos/modules/services/misc/nix-ssh-serve.nix
···
···
1
+
{ config, lib, pkgs, ... }:
2
+
3
+
let
4
+
serveOnly = pkgs.writeScript "nix-store-serve" ''
5
+
#!${pkgs.stdenv.shell}
6
+
if [ "$SSH_ORIGINAL_COMMAND" != "nix-store --serve" ]; then
7
+
echo 'Error: You are only allowed to run `nix-store --serve'\'''!' >&2
8
+
exit 1
9
+
fi
10
+
exec /run/current-system/sw/bin/nix-store --serve
11
+
'';
12
+
13
+
inherit (lib) mkIf mkOption types;
14
+
in {
15
+
options = {
16
+
nix.sshServe = {
17
+
enable = mkOption {
18
+
description = "Whether to enable serving the nix store over ssh.";
19
+
default = false;
20
+
type = types.bool;
21
+
};
22
+
};
23
+
};
24
+
25
+
config = mkIf config.nix.sshServe.enable {
26
+
users.extraUsers.nix-ssh = {
27
+
description = "User for running nix-store --serve.";
28
+
uid = config.ids.uids.nix-ssh;
29
+
shell = pkgs.stdenv.shell;
30
+
};
31
+
32
+
services.openssh.enable = true;
33
+
34
+
services.openssh.extraConfig = ''
35
+
Match User nix-ssh
36
+
AllowAgentForwarding no
37
+
AllowTcpForwarding no
38
+
PermitTTY no
39
+
PermitTunnel no
40
+
X11Forwarding no
41
+
ForceCommand ${serveOnly}
42
+
Match All
43
+
'';
44
+
};
45
+
}