pyrox.dev / nixpkgs
lol
fork atom

Add module to enable the server for the ssh substituter

Shea Levy fefc0d99 83c98e4d

+47
unified split
+1
nixos/modules/misc/ids.nix
··· 112 112 cgminer = 101; 113 113 munin = 102; 114 114 logcheck = 103; 115 + nix-ssh = 104; 115 116 116 117 # When adding a uid, make sure it doesn't match an existing gid. 117 118
+1
nixos/modules/module-list.nix
··· 125 125 ./services/misc/gpsd.nix 126 126 ./services/misc/nix-daemon.nix 127 127 ./services/misc/nix-gc.nix 128 + ./services/misc/nix-ssh-serve.nix 128 129 ./services/misc/nixos-manual.nix 129 130 ./services/misc/rogue.nix 130 131 ./services/misc/svnserve.nix
+45
nixos/modules/services/misc/nix-ssh-serve.nix
··· 1 + { config, lib, pkgs, ... }: 2 + 3 + let 4 + serveOnly = pkgs.writeScript "nix-store-serve" '' 5 + #!${pkgs.stdenv.shell} 6 + if [ "$SSH_ORIGINAL_COMMAND" != "nix-store --serve" ]; then 7 + echo 'Error: You are only allowed to run `nix-store --serve'\'''!' >&2 8 + exit 1 9 + fi 10 + exec /run/current-system/sw/bin/nix-store --serve 11 + ''; 12 + 13 + inherit (lib) mkIf mkOption types; 14 + in { 15 + options = { 16 + nix.sshServe = { 17 + enable = mkOption { 18 + description = "Whether to enable serving the nix store over ssh."; 19 + default = false; 20 + type = types.bool; 21 + }; 22 + }; 23 + }; 24 + 25 + config = mkIf config.nix.sshServe.enable { 26 + users.extraUsers.nix-ssh = { 27 + description = "User for running nix-store --serve."; 28 + uid = config.ids.uids.nix-ssh; 29 + shell = pkgs.stdenv.shell; 30 + }; 31 + 32 + services.openssh.enable = true; 33 + 34 + services.openssh.extraConfig = '' 35 + Match User nix-ssh 36 + AllowAgentForwarding no 37 + AllowTcpForwarding no 38 + PermitTTY no 39 + PermitTunnel no 40 + X11Forwarding no 41 + ForceCommand ${serveOnly} 42 + Match All 43 + ''; 44 + }; 45 + }