mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-24 07:53:19 +00:00
68 lines
1.9 KiB
Nix
68 lines
1.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let cfg = config.nix.sshServe;
|
|
command =
|
|
if cfg.protocol == "ssh"
|
|
then "nix-store --serve ${lib.optionalString cfg.write "--write"}"
|
|
else "nix-daemon --stdio";
|
|
in {
|
|
options = {
|
|
|
|
nix.sshServe = {
|
|
|
|
enable = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = "Whether to enable serving the Nix store as a remote store via SSH.";
|
|
};
|
|
|
|
write = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the {option}`nix.settings.trusted-users` option in most use cases, such as allowing remote building of derivations.";
|
|
};
|
|
|
|
keys = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [];
|
|
example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ];
|
|
description = "A list of SSH public keys allowed to access the binary cache via SSH.";
|
|
};
|
|
|
|
protocol = lib.mkOption {
|
|
type = lib.types.enum [ "ssh" "ssh-ng" ];
|
|
default = "ssh";
|
|
description = "The specific Nix-over-SSH protocol to use.";
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
users.users.nix-ssh = {
|
|
description = "Nix SSH store user";
|
|
isSystemUser = true;
|
|
group = "nix-ssh";
|
|
shell = pkgs.bashInteractive;
|
|
};
|
|
users.groups.nix-ssh = {};
|
|
|
|
services.openssh.enable = true;
|
|
|
|
services.openssh.extraConfig = ''
|
|
Match User nix-ssh
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
PermitTTY no
|
|
PermitTunnel no
|
|
X11Forwarding no
|
|
ForceCommand ${config.nix.package.out}/bin/${command}
|
|
Match All
|
|
'';
|
|
|
|
users.users.nix-ssh.openssh.authorizedKeys.keys = cfg.keys;
|
|
|
|
};
|
|
}
|